–Click the icon to the right of the IP address to launch the controller Web user interface in a new browser window.

•Device Name—Indicates the name of the controller. Click the Controller Name link to sort the list by controller name.

•Device Type—Click to sort by type. Based on the series, device types are grouped. For example:

–WLC2100—21xx Series Wireless LAN Controllers

–2500—25xx Series Wireless LAN Controllers

–4400—44xx Series Wireless LAN Controllers

–5500—55xx Series Wireless LAN Controllers

–7500—75xx Series Wireless LAN Controllers

–WiSM—WiSM (slot number, port number)

–WiSM2—WiSM2 (slot number, port number)

•Location—Indicates the location of the controller.

•Software Version—The operating system release.version.dot.maintenance number of the code currently running on the controller.

•Mobility Group Name—Name of the mobility or WPS group.

•Reachability Status—Reachable or not reachable.

Note Reachability status is updated based on the last execution information of the Device Status background task. For updating the current status, choose Administration > Background Tasks, and choose Execute Now from the Select a command drop-down list.

•Audit Status

–Not Available—No audit occurred on this switch.

–Identical—No configuration differences were discovered.

–Mismatch—Configuration differences were discovered.

Click the Audit Status link to access the audit report. In the Audit Report page, choose Audit Now from the Select a command drop-down list to run a new audit for this controller. See the "Understanding the Controller Audit Report" for more information on audit reports.

Note Audit status is updated based on the last execution information of either the Configuration Sync background task or the Audit Now option located in the Controllers page. To get the current status, either choose Administration > Background Tasks and choose Execute Now or Audit Now from the Select a command drop-down list.

–If the failed enforcement count is greater than zero, this number appears as a link. Click the link to view the failures returned from the device.

•Other NCS discrepancies

Note The controller audit report indicates if the audit was performed on all parameters or on a selected set of parameters.

Note See the "Configuring an Audit" section for more in depth information on the two types of audits and how to manage specific parameters for the audit.

A current Controller Audit Report can be accessed in the Configure > Controllers page by clicking a value in the Audit Status column.

You can audit a controller by choosing Audit Now from the Select a command drop-down list in the Configure > Controllers page (See the "Using the Audit Now Feature" section for more information) or by clicking Audit Now in the Controller Audit Report.

If you want to add one controller or use commas to separate multiple controllers, leave the Add Format Type drop-down list at Device Info.

If you want to add multiple controllers by importing a CSV file, choose File from the Add Format Type drop-down list. The CSV file allows you to generate your own import file and add the devices you want.

Note When a controller is removed from the system, the associated access points are not removed automatically and therefore remain in the system. These disassociated access points must be removed manually.

Note If you are adding a controller into NCS across a GRE link using IPsec or a lower MTU link with multiple fragments, you may need to adjust the Maximum VarBinds per Get PDU and Maximum VarBinds per Set PDU. If it is set too high, the controller may fail to be added into NCS. To adjust the Maximum VarBinds per Get PDU or Maximum VarBinds per Set PDU, do the following: Stop NCS, choose Administration > Settings > SNMP Settings, and edit the Maximum VarBinds per Get PDU and Maximum VarBinds per Set PDU values to 50 or lower.

Note If you reduce the Maximum VarBinds per Get PDU or Maximum VarBinds per Set PDU value, applying the configurations to the device might fail.

Step 4 If you chose Device Info, enter the IP address of the controller you want to add. If you want to add multiple controllers, use a comma between the string of IP addresses.

Note If a partial byte boundary is used and the IP address appears to be broadcast (without regard to the partial byte boundary), there is a limitation on adding the controllers into NCS. For example, 10.0.2.255/23 cannot be added but 10.0.2.254/23 can.

If you chose File, click Browse to find the location of the CSV file you want to import.

The first row of the CSV file is used to describe the columns included. The first row of the CSV file is used to describe the columns included. The IP Address column is mandatory. The following example shows a sample CSV file.

Step 5 Select the Verify Telnet/SSH Credentials check box if you want this controller to verify Telnet/SSH credentials. You may want to leave this unselected (or disabled) because of the substantial time it takes for discovery of the devices.

Step 6 Use the Version drop-down list to choose v1, v2, or v3.

Step 7 In the Retries parameter, enter the number of times that attempts are made to discover the controller.

Step 8 Provide the client session timeout value in seconds. This determines the maximum amount of time allowed for a client before it is forced to reauthenticate.

Step 9 In the Community parameter, enter either public or private (for v1 and v2 only).

Note If you go back and later change the community mode, you must perform a refresh config for that controller.

Step 14 Enter the Telnet credentials information for the controller. If you chose the File option and added multiple controllers, the information will apply to all specified controllers. If you added controllers from a CSV file, the username and password information is obtained from the CSV file.

Note The Telnet/SSH username must have sufficient privileges to execute commands in CLI templates.

The default username and password is admin.

Step 15 Enter the retries and timeout values. The default retries number is 3, and the default retry timeout is 1 minute.

Note When a controller is added to the NCS, the NCS acts as a TRAP receiver and the following traps are enabled on the controller: 802.11 Disassociation, 802.11 Deauthentication, and 802.11 Authenticated.

Note To update the credentials of multiple controllers in a bulk, choose Bulk Update Controllers from the Select a command drop-down list. The Bulk Update Controllers page appears. You can choose a CSV file. The CSV file contains a list of controllers to be updated, one controller per line. Each line is a comma separated list of controller attributes. The first line describes the attributes included. The IP address attribute is mandatory. For details, see the NCS Configuration Guide.

Bulk Update of Controller Credentials

You can update multiple controllers credentials by importing a CSV file.

Note When a controller is removed from the system, the associated access points are not removed automatically and, therefore, remain in the system. These disassociated access points must be removed manually.

•Save Config to Flash—Data is saved to the controller in non-volatile RAM (NVRAM) and is preserved in the event of a power cycle. If the controller is rebooted, all applied changes are lost unless the configuration has been saved.

•Reboot APs—Select the check box to enable a reboot of the access point after making any other updates.

•Swap AP Image—Indicates whether or not to reboot controllers and APs by swapping AP images. This could be either Yes or No.

Note Reboot Type Automatic can be set when the only Download software to controller option is selected.

•Download date/time—Enter a date in the provided text box or click the calendar icon to open a calendar from which you can choose a date. Choose the time from the hours and minutes drop-down lists.

•Reboot date/time—This option appears only if you select the reboot type as "Scheduled". Enter a date in the provided text box or click the calendar icon to open a calendar from which you can choose a date to reboot the controller. Choose the time from the hours and minutes drop-down lists.

Note Schedule enough time (at least 30mins) between Download and Reboot so that all APs can complete the software pre-download.

Note If any one of the AP is in pre-download progress state at the time of scheduled reboot, the controller will not reboot. In such a case, wait for the pre-download to finish for all the APs and reboot the controller manually.

Note Reboot Type Automatic can be set when only Download software to controller option is selected.

•Download date/time—Enter a date in the provided text box or click the calendar icon to open a calendar from which you can choose a date. Choose the time from the hours and minutes drop-down lists.

•Reboot date/time—This option appears only if you select the reboot type as "Scheduled". Enter a date in the provided text box or click the calendar icon to open a calendar from which you can choose a date to reboot the controller. Choose the time from the hours and minutes drop-down lists.

Note Schedule enough time (at least 30 minutes) between Download and Reboot so that all APs can complete the software pre-download.

Note If any one of the AP is in pre-download progress state at the time of scheduled reboot, the controller will not reboot. In such a case, wait for the pre-download to finish for all the APs and reboot the controller manually.

–Enter the Upload to File from /(root)/NCS-tftp/ or /(root)/NCS-ftp/ filename.

–Select whether or not Cisco NCS saves before backing up the configuration.

Note The Cisco NCS uses an integral TFTP and FTP server. This means that third-party TFTP and FTP servers cannot run on the same workstation as the Cisco NCS, because the Cisco NCS and the third-party servers use the same communication port.

Step 7 Click OK. The selected file will be uploaded to your TFTP or FTP server and named what you entered in the File Name text box.

Downloading IDS Signatures

To download Intrusion Detection System (IDS) signature files to a controller, follow these steps:

Tip If the transfer times out for some reason, you can choose the TFTP server option in the File is located on parameter; the server file name is populated and retried.

Note The local machine option initiates a two-step operation. First, the local file is copied from the administrator workstation to NCS own built-in TFTP server. Then the controller retrieves that file. For later operations, the file is already in the NCS server TFTP directory, and the downloaded web page now automatically populates the filename.

Downloading a Customized WebAuthentication Bundle to a Controller

To download customized web authentication bundle to a controller, follow these steps:

In the Download Customized WebAuth bundle to Controller page, the controller IP address and its current status appears.

Step 5 Select the Local machine radio button in the File is located on parameter.

Note If you know the file name and path relative to the server root directory, you can also select the TFTP server radio button.

Note For a local machine download, either .zip or .tar file options exists but the NCS does the conversion of .zip to .tar automatically. If you choose a TFTP server download, only .tar files are specified.

Step 6 In the Maximum Retriestext box, enter the maximum number of tries the controller should attempt to download the file.

Step 7 In the Timeout text box, enter the maximum amount of time (in seconds) before the controller times out while attempting to download the file.

Step 8 Specify the local file name or click Browse to navigate to the appropriate file. The controller uses this local file name as a base name and adds _custom.sgi as a suffix.

Step 9 Click Download.

Tip If the transfer times out for some reason, you can select the TFTP server radio button in the File is located on parameter; the server file name is populated and retried.

Step 10 The local machine option initiates a two-step operation. First, the local file is copied from the administrator workstation to NCS own built-in TFTP server. Then the controller retrieves that file. For later operations, the file is already in the NCS server TFTP directory, and the downloaded web page now automatically populates the filename.

Step 11 After completing the download, you are directed to a new page and are able to authenticate.

Downloading a Vendor Device Certificate

Each wireless device (controller, access point, and client) has its own device certificate. If you wish to use your own vendor-specific device certificate, it must be downloaded to the controller.

To download a vendor device certificate to a controller, follow these steps:

Step 3 In the Certificate Password text box, enter the password used to protect the certificate.

Step 4 Re-enter the password in the Confirm Password text box.

Step 5 In the File is located on parameter, select the Local machine or TFTP server radio button.

Note If the certificate is located on the TFTP server, enter the Server File Name. If it is located on the local machine, enter the local file name by clicking Browse.

Step 6 Enter the TFTP server name in the Server Nameparameter. The default is the NCS server.

Step 7 Enter the server IP address.

Step 8 In the Maximum Retries text box, enter the maximum number of times that the TFTP server attempts to download the certificate.

Step 9 In the Timeout text box, enter the amount of time (in seconds) that the TFTP server attempts to download the certificate.

Step 10 In the Local File Name text box, enter the directory path of the certificate.

Step 11 In the Server File Name text box, enter the name of the certificate.

Step 12 Click Download.

Downloading a Vendor CA Certificate

Controllers and access points have a certificate authority (CA) certificate that is used to sign and validate device certificates. The controller is shipped with a Cisco-installed CA certificate. This certificate may be used by EAP-TLS and EAP-FAST (when not using PACs) to authenticate wireless clients during local EAP authentication. However, if you wish to use your own vendor-specific CA certificate, it must be downloaded to the controller.

To download a vendor CA certificate to the controller, follow these steps:

Refreshing the Configuration from the Controller

Step 3 From the Select a commanddrop-down list, choose Refresh Config from Controller.

Step 4 Click Go.

Step 5 At the Configuration Change prompt, select the Retain or Delete radio button.

Step 6 Click Go.

Discovering Templates from the Controller

Prior to software release 5.1, templates were detected when a controller was detected, and every configuration found on NCS for a controller had an associated template. Now templates are not automatically detected with controller discovery, and you can specify which NCS configurations you want to have associated templates.

Note The templates that are discovered do not retrieve management or local user passwords.

The following rules apply for template discovery:

•Template Discovery discovers templates that are not found in NCS.

•Existing templates are not discovered.

To discover current templates, follow these steps:

Step 1 Choose Configure > Controllers.

Step 2 Select the check box of the controller for which you want to discover templates.

Step 4 Click Go. The Discover Templates page displays the number of discovered templates, each template type and each template name.

Note You can choose the Enabling this option will create association between discovered templates and the device listed above check box so that discovered templates will be associated to the configuration on the device and will be shown as applied on that controller.

Note Template discovery refreshes configuration from the controller prior to discovering templates. Click OK in the warning dialog box to continue with the discovery.

Updating Credentials in NCS

To update SNMP/Telnet credential details in NCS for multiple controllers, there is no configuration available. To perform this mass update, you need to go to each device and update the SNMP and Telnet credentials.

To update the SNMP/Telnet credentials, follow these steps:

Step 1 Choose Configure > Controllers.

Step 2 Select the check box for each controller to which you want to update SNMP/Telenet credentials.

Step 5 Select the Telnet/SSH Parameters check box and specify the following parameters:

•User Name—Enter the user name.

•Password/Confirm Password—Enter and confirm the password.

•Timeout—Indicate the amount of time (in seconds) allowed before the process time outs. The valid range is 2 to 90 seconds. The default is 60 seconds.

Viewing Templates Applied to a Controller

You can view all templates currently applied to a specific controller.

Note Only templates applied in this partition are displayed.

To view applied templates, follow these steps:

Step 1 Choose Configure > Controllers.

Step 2 Select the check box for the applicable controller.

Step 3 From the Select a command drop-down list, choose Templates Applied to a Controller.

Step 4 Click Go. The Templates Applied to a Controller page displays each applied template name, template type, the date the template was last saved, and the date the template was last applied.

Note Click the template name link to view the template details. See "Using Templates" for more information.

Using the Audit Now Feature

You can audit a controller by choosing Audit Now from the Select a command drop-down list in the Configure > Controllers page or by choosing Audit Now directly from the Select a command drop-down list.

Note A current Controller Audit Report can be accessed in the Configure > Controllers page by clicking a value in the Audit Status column.

To audit a controller, follow these steps:

Step 1 Choose Configure > Controllers.

Step 2 Select the check box for the applicable controller.

Step 3 From the Select a command drop-down list, choose Audit Now.

Step 4 Click Go.

Step 5 Click OK in the pop-up dialog box if you want to remove the template associations from configuration objects in the database as well as template associations for this controller from associated config groups (Template based audit only).

•Total enforcements for config groups with background audit enabled—If discrepancies are found during the audit in regards to the config groups enabled for background audit and if the enforcement is enabled, this section lists the enforcements made during the controller audit. Choose Config Groups > General for more information on enabling the background audit.

•Failed Enforcements for Config Groups with background audit enabled—Click the link to view a list of failure details (including the reason for the failure) returned by the device. See "Config Groups > General" for more information on enabling the background audit (ConfigAuditSet).

•Restore NCS Values to Controller or Refresh Config from Controller—If there are config differences found as a result of the audit, you can either click RestoreNCSValues to controller or RefreshConfig from controller to bring the NCS configuration in sync with the controller.

–Choose Restore NCS Values to Controller to push the discrepancies to the device.

–Choose Refresh config from controller to pick up the device for this configuration from the device.

Note Templates are not refreshed as a result of clicking Refresh Config from Controller.

Viewing the Latest Network Audit Report

The Network Audit Report shows the time of the audit, the IP address of the selected controller, and the synchronization status.

Note This method shows the report from the network audit task and not an on-demand audit per controller.

To view the latest network audit report for the selected controllers, follow these steps:

The Audit Summary displays the time of the audit, the IP address of the selected controller, and the audit status. The Audit Details display the config differences, if applicable.

Note Use the General and Schedule tabs to revise Audit Report parameters. See "Configuration Audit Report" section for more information.

Command Buttons

•Save—Click to save changes made to the current parameters.

•Save and Run—Click to save the changes to the current parameters and run the report.

•Run Now—Click to run the audit report based on existing parameters.

•Export Now—Click to export the report results. The supported export formats is PDF and CSV.

•Cancel—Click to cancel any changes made to the existing parameters.

Note From the All Controllers page, click the Audit Status column value to view the latest audit details page for the selected controller. This method has similar information as the Network Audit report on the Reports menu, but this report is interactive and per controller.

Note To run an on-demand audit report, choose which controller you want to run the report on and choose Audit Now from the Select a commanddrop-down list. If you run an on-demand audit report and configuration differences are detected, you are given the option to retain the existing controller or NCS values.

Note The Telnet/SSH username must have sufficient privileges to execute commands in CLI templates.

–Password/Confirm Password—Enter and confirm the password. (Default password is admin.)

–Retries—Indicate the number of allowed retry attempts. The default is three.

–Timeout—Indicate the amount of time (in seconds) allowed before the process time outs. The default is 60 seconds.

Note Default values are used if the Telnet/SSH parameters are left blank.

Step 4 If you made changes to this controller properties, click OK to confirm the changes, Reset to return to the previous or default settings, or Cancel to return to the Configure > Controllers page without making any changes to these settings.

Configuring Controller System Parameters

This section describes how to configure the controller system parameters and includes the following topics:

The access point maintains a list of backup controllers and periodically sends primary discovery requests to each entry in the list. When configured, the primary discovery request timer specifies the amount of time that a controller has to respond to the discovery request of the access point before the access point assumes that the controller cannot be joined and waits for a discovery response from the next controller in the list.

Link aggregation (LAG) is a partial implementation of the 802.3ad port aggregation standard. It bundles all of the controller distribution system ports into a single 802.3ad port channel, thereby reducing the number of IP addresses needed to configure the ports on your controller. When LAG is enabled, the system dynamically manages port redundancy and load balances access points transparently to the user.

Note LAG is disabled by default on the Cisco 5500 and 4400 series controllers but enabled by default on the Cisco WiSM and the controller in the Catalyst 3750G Integrated Wireless LAN Controller Switch.

Over-the-air provisioning (OTAP) is supported by Cisco 5500 and 4400 series controllers. If this feature is enabled on the controller, all associated access points transmit wireless CAPWAP or LWAPP neighbor messages, and new access points receive the controller IP address from these messages. This feature is disabled by default and should remain disabled when all access points are installed.

Note Disabling OTAP on the controller does not disable it on the access point. OTAP cannot be disabled on the access point.

Note Enabling AP Fallback causes an access point which lost a primary controller connection to automatically return to service when the primary controller returns.

•AP Failover Priority—Disable or enable.

Note To configure failover priority settings for access points, you must first enable the AP Failover Priority feature. See the "AP Failover Priority" section for more information.

•AppleTalk Bridging—Disable or enable.

•Fast SSID change—Disable or enable.

When fast SSID changing is enabled, the controller allows clients to move between SSIDs. When the client sends a new association for a different SSID, the client entry in the controller connection table is cleared before the client is added to the new SSID. When fast SSID changing is disabled, the controller enforces a delay before clients are allowed to move to a new SSID.

Note If enabled, the client connects instantly to the controller between SSIDs without having appreciable loss of connectivity.

•Master Controller Mode—Disable or enable.

Note Because the master controller is normally not used in a deployed network, the master controller setting is automatically disabled upon reboot or OS code upgrade.

Tip When you hover your mouse cursor over the parameter text box, the valid range for that field appears.

•Mobility Anchor Group Keep Alive Retries—Enter number of allowable retries.

Tip When you hover your mouse cursor over the parameter text box, the valid range for that field appears.

•RF Network Name—Enter network name.

•User Idle Timeout (seconds)—Enter timeout in seconds.

•ARP Timeout (seconds)—Enter timeout in seconds.

AP Failover Priority

When a controller fails, the backup controller configured for the access point suddenly receives a number of Discovery and Join requests. If the controller becomes overloaded, it may reject some of the access points.

By assigning failover priority to an access point, you have some control over which access points are rejected. When the backup controller is overloaded, join requests of access points configured with a higher priority levels take precedence over lower-priority access points.

To configure failover priority settings for access points, you must first enable the AP Failover Priority feature.

Configuring 802.3 Bridging

The controller supports 802.3 frames and applications that use them, such as those typically used for cash registers and cash register servers. However, to make these applications work with the controller, the 802.3 frames must be bridged on the controller.

Support for raw 802.3 frames allows the controller to bridge non-IP frames for applications not running over IP. Only this raw 802.3 frame format is currently supported.

To configure 802.3 bridging using NCS release 4.1 or later, follow these steps:

Step 1 Choose Configure > Controllers.

Step 2 Click theIP addressof the applicable controller.

Step 3 Choose System > General to access the General page.

Step 4 From the 802.3 Bridging drop-down list, choose Enable to enable 802.3 bridging on your controller or Disable to disable this feature. The default value is Disable.

Step 5 Click Save to confirm your changes.

802.3x Flow Control

Flow control is a technique for ensuring that a transmitting entity, such as a modem, does not overwhelm a receiving entity with data. When the buffers on the receiving device are full, a message is sent to the sending device to suspend the transmission until the data in the buffers has been processed.

By default, flow control is disabled. You can only enable a Cisco switch to receive PAUSE frames but not to send them.

Step 4 After the controller reboots, follow these steps to verify that the CAPWAP transport mode is now Layer 2:

a. Choose Configure> Controllers.

b. Click theIP addressof the applicable controller.

c. Verify that the current CAPWAP transport mode is Layer2 from the general drop-down list.

You have completed the CAPWAP transport mode conversion from Layer 3 to Layer 2. The operating system software now controls all communications between controllers and access points on the same subnet.

Aggressive Load Balancing

In routing, load balancing refers to the capability of a router to distribute traffic over all its network ports that are the same distance from the destination address. Good load-balancing algorithms use both line speed and reliability information. Load balancing increases the use of network segments, thus increasing effective network bandwidth.

Aggressive load balancing actively balances the load between the mobile clients and their associated access points.

Link Aggregation

Link aggregation allows you to reduce the number of IP addresses needed to configure the ports on your controller by grouping all the physical ports and creating a link aggregation group (LAG). In a 4402 model, two ports are combined to form a LAG whereas in a 4404 model, all four ports are combined to form a LAG.

If LAG is enabled on a controller, the following configuration changes occur:

•Any dynamic interfaces that you have created are deleted. This is done to prevent configuration inconsistencies in the interface database.

•Interfaces cannot be created with the "Dynamic AP Manager" flag set.

Note You cannot create more than one LAG on a controller.

The advantages of creating a LAG include:

•Assurance that, if one of the links goes down, the traffic is moved to the other links in the LAG. As long as one of the physical ports is working, the system remains functional.

•No need to configure separate backup ports for each interface.

•Multiple AP-manager interfaces are not required because only one logical port is visible to the application.

Note When you make changes to the LAG configuration, the controller has to be rebooted for the changes to take effect.

Tip When you hover your mouse over the parameter text box, the valid range for that field appears.

Wireless Management

Because of IPSec operation, management via wireless is only available to operators logging in across WPA, Static WEP, or VPN Pass Through WLANs. Wireless management is not available to clients attempting to log in via an IPSec WLAN.

Mobility Anchor Group Keep Alive Interval

Indicate the delay between tries for clients attempting to join another access point. This decreases the time it takes for a client to join another access point following a controller failure because the failure is quickly identified, the clients are moved away from the problem controller, and the clients are anchored to another controller.

Tip When you hover your mouse over the parameter text box, the valid range for that field appears.

Configuring Controller System Commands

To view the System Command parameters for current controllers, follow these steps:

Step 1 Choose Configure > Controllers.

Step 2 Click theIP addressof the applicable controller.

Step 3 From the left sidebar menu, choose System > Commands. The following parameters appear:

•Administrative

–Reboot—This command enables you to confirm the restart of your controller after saving your configuration changes. Open and confirm a new session and log into the controller to avoid loosing a system connection.

–Save Config to Flash—Data is saved to the controller in non-volatile RAM (NVRAM) and is preserved in the event of a power cycle. If the controller is rebooted, all applied changes are lost unless the configuration has been saved.

–Ping From Controller—Send a ping to a network element. This pop-up dialog box allows you to tell the controller to send a ping request to a specified IP address. This is useful for determining if there is connectivity between the controller and a particular IP station. If you click OK, three pings are sent and the results of the ping are displayed in the pop-up. If a reply to the ping is not received, it will show No Reply Received from IP xxx.xxx.xxx.xxx, otherwise it shows Reply received from IP xxx.xxx.xxx.xxx: (send count =3, receive count = n).

Note Select the FTP or TFTP radio button. Both File Transfer Protocol (FTP) and Trivial Transfer Protocol (TFTP) are supported for uploading and downloading files to and from NCS. In previous software releases, only TFTP was supported.

–Download Software—Choose this command to download software to the selected controller or all controllers in the selected groups after you have a configuration group established. See the "Downloading Software to a Controller" section.

–Download IDS Signatures—Choose this command to download customized signatures to the standard signature file currently on the controller. See the "Downloading Signature Files" section for more information.

–802.11a/n Power Update—Updates access point dynamic transmit power algorithm for 802.11a/n Cisco Radios.

–802.11b/g/n Power Update—Updates access point dynamic transmit power algorithm for 802.11b/g/n Cisco Radios.

Restoring Factory Defaults

Choose Configure > Controllers, and click an IP address in the IP Address column. From the left sidebar menu, choose System > Commands, and from the Administrative Commandsdrop-down list, choose Reset to Factory Default, and click Go to access this page.

This command enables you to reset the controller configuration to the factory default. This overwrites all applied and saved configuration parameters. You are prompted for confirmation to re-initialize your controller.

All configuration data files are deleted, and upon reboot, the controller is restored to its original non-configured state. This will remove all IP configuration, and you will need a serial connection to restore its base configuration.

Note After confirming configuration removal, you must reboot the controller and select the "Reboot Without Saving" option.

Setting Controller Time and Date

Choose Configure > Controllers, and click an IP address under the IP Address column. From the left sidebar menu, choose System>Commands, and from the Configuration Commands drop-down list choose Set System Time,and click Go to access this page.

Use this command to manually set the current time and date on the controller. To use a Network Time Server to set or refresh the current time, see the "Configuring an NTP Server Template" section page. The following parameters appear:

•Current Time—Shows the time currently being used by the system.

•Month/Day/Year—Choose the month/day/year from the drop-down list.

•Hour/Minutes/Seconds—Choose the hour/minutes/seconds from the drop-down list.

•Choose whether or not Cisco NCS saves before backing up the configuration.

Step 6 Click OK. The selected file will be uploaded to your TFTP server and named what you entered in the File Name text box.

Note The Cisco NCS uses an integral TFTP server. This means that third-party TFTP servers cannot run on the same workstation as the Cisco NCS, because the Cisco NCS and the third-party TFTP servers use the same communication port.

Use this command to download and install a configuration file to your controller from a local TFTP (Trivial File Transfer Protocol) server. The following parameters appear:

Note The Cisco NCS uses an integral TFTP server. This means that third-party TFTP servers cannot run on the same workstation as the Cisco NCS, because the Cisco NCS and the third-party TFTP servers use the same communication port.

•IP Address—IP address of the controller.

•Status—Status of the certificate, for example, NOT_INITIATED.

TFTP Servers

•Server Name—Choose Default Server or New from the drop-down list. When you choose New, type in the IP address.

•Server Address—IP address of the server.

•Maximum Retries—How many times to retry if the download fails.

•Timeout—How long to allow between retries.

•File Name—Enter or choose the filename to download by clicking the Browse button.

Use this command to download and install a new Operating System software to your controller from a local TFTP (Trivial File Transfer Protocol) server.

Note The Cisco NCS uses an integral TFTP server. This means that third-party TFTP servers cannot run on the same workstation as the Cisco NCS, because the Cisco NCS and the third-party TFTP servers use the same communication port.

•IP Address—IP address of the controller to receive the software.

•Current Software Version—The software version currently running on the controller.

This page enables you to download a web administration certificate to the controller. The following parameters appear:

Caution Each certificate has a variable-length embedded RSA Key. The RSA key length varies from 512 bits, which is relatively insecure, to thousands of bits, which is very secure. When you are obtaining a new certificate from a certificate authority (such as the Microsoft CA), Make sure the RSA key embedded in the certificate is at least 768 Bits.

•IP Address—IP address of the controller to receive the certificate.

•Status—Status of the certificate, for example, NOT_INITIATED.

TFTP Servers

•Server Name—Use the drop-down list to choose the Default Server or New. When you select New, type in the IP address.

•Server Address—IP address of the server.

•Maximum Retries—Maximum number of times each download operation can be attempted.

•Timeout (seconds)—The amount of time allowed for each download operation.

Note•The Interface Group cannot be deleted if it has been assigned to WLAN(s).

•The Interface Group cannot be deleted if it has been assigned to AP Group(s).

•The Interface Group cannot be deleted if it has been assigned to Foreign Controller Mapping for the WLAN(s).

•The Interface Group Template cannot be deleted if it has been assigned to WLAN Template(s).

•The Interface Group Template cannot be deleted if it has been assigned to AP Group Template(s).

•You cannot enable/disable quarantine for an interface if it has been assigned to an interface group.

Viewing Interface Groups

To view existing interface groups, follow these steps:

Step 1 Choose Configure > Controllers.

Step 2 Click the IP addressof the applicable controller.

Step 3 From the left sidebar menu, choose System > Interface Groups. The following parameters appear:

•Name—User-defined name for the interface group (For example, group1, group2).

•Description—(Optional) Description for the Interface Group.

•Interfaces—Count of the number of interfaces belonging to the group.

Step 4 Click the Interface group name link.

The Interface Groups Details page appears with the Interface group details as well as the details of the Interfaces that form part of that particular Interface group.

NAC Integration

The Cisco NAC appliance, also known as Cisco Clean Access (CCA), is a network admission control (NAC) product that allows network administrators to authenticate, authorize, evaluate, and remediate wired, wireless, and remote users and their machines prior to allowing users onto the network. It identifies whether machines are compliant with security policies and repairs vulnerabilities before permitting access to the network. The NAC appliance is available in two modes: in-band and out-of-band. Customers can deploy both modes if desired, each geared toward certain types of access (in-band for supporting wireless users and out-of-band for supporting wired users, for example).

For more information on NAC Out-of-Band Integration, see the applicable section in the Cisco Network Control System Configuration Guide.

Guidelines for Using SNMP NAC

•The NAC appliance supports up to 3500 users, and the controller supports up to 5000 users. Therefore, multiple NAC appliances might need to be deployed.

•Because the NAC appliance supports static VLAN mapping, you must configure a unique quarantine VLAN for each interface configured on the controller. For example, you might configure a quarantine VLAN of 110 on controller 1 and a quarantine VLAN of 120 on controller 2. However, if two WLANs or guest LANs use the same distribution system interface, they must use the same quarantine VLAN, provided they have one NAC appliance deployed in the network. The NAC appliance supports unique quarantine-to-access VLAN mapping.

•For posture reassessment based on session expiry, you must configure the session timeout on both the NAC appliance and the WLAN, making sure that the session expiry on the WLAN is greater than that on the NAC appliance.

•When a session timeout is configured on an open WLAN, the timing out of clients in the Quarantine state is determined by the timer on the NAC appliance. Once the session timeout expires for WLANs using web authentication, clients deauthenticate from the controller and must perform posture validation again.

•NAC out-of-band integration is supported only on WLANs configured for hybrid-REAP central switching. It is not supported for use on WLANs configured for hybrid-REAP local switching.

•If you want to enable NAC on an access point group VLAN, you must first enable NAC on the WLAN. Then you can enable or disable NAC on the access point group VLAN. If you ever decide to disable NAC on the WLAN, be sure to disable it on the access point group VLAN as well.

•NAC out-of-band integration is not supported for use with the WLAN AAA override feature.

•All Layer 2 and Layer 3 authentication occurs in the quarantine VLAN. To use external web authentication, you must configure the NAC appliance to allow HTTP traffic to and from external web servers and to allow the redirect URL in the quarantine VLAN.

Guidelines for Using RADIUS NAC

•RADIUS NAC is available only for WLAN with 802.1x/WPA/WPA2 Layer 2 security.

•RADIUS NAC cannot be enabled when HREAP local switching is enabled.

•AAA override should be enabled to configure RADIUS NAC.

Configuring NAC Out-of-Band Integration (SNMP NAC)

To configure SNMP NAC out-of-band integration, follow these steps:

Step 1 To configure the quarantine VLAN for a dynamic interface, follow these steps:

a. Choose Configure > Controller.

b. Choose which controller you are configuring for out-of-band integration by clicking it in the IP Address column.

c. Choose System > Interfaces from the left sidebar menu.

d. Choose Add Interface from the Select a command drop-down list.

e. In the Interface Name text box, enter a name for this interface, such as "quarantine."

f. In the VLAN Identifier text box, enter a non-zero value for the access VLAN ID, such as "10."

g. Select the Quarantine check box if the interface has a quarantine VLAN ID configured on it.

Note We recommend that you configure unique quarantine VLANs throughout your network. If multiple controllers are configured in the same mobility group and access interfaces on all controllers are in the same subnet, it is mandatory to have the same quarantine VLAN if there is only one NAC appliance in the network. If multiple controllers are configured in the same mobility group and access interfaces on all controllers are in different subnets, it is mandatory to have different quarantine VLANs if there is only one NAC appliance in the network.

h. Configure any remaining fields for this interface, such as the IP address, netmask, and default gateway.

i. Enter an IP address for the primary and secondary DHCP server.

j. Click Save. You are now ready to create a NAC-enabled WLAN or Guest LAN.

Step 2 To configure NAC out-of-band support on a WLAN or guest LAN, follow these steps:

a. Choose WLANs > WLAN from the left sidebar menu.

b. Choose Add a WLAN from the Select a command drop-down list and click Go.

c. If you have a template established that you want to apply to this controller, choose the guest LAN template name from the drop-down list. Otherwise, click the click here link to create a new template. For more information on setting up the template, see the "Configuring Wired Guest Access" section section.

Step 3 To configure NAC out-of-band support for a specific AP group, follow these steps:

a. Choose WLANs > AP Groups VLAN from the left sidebar menu to open the AP Groups page.

Note AP Groups (for 5.2 and later controllers) is referred to as AP Group VLANs for controllers prior to 5.2.

b. Click the name of the desired AP group.

c. From the Interface Name drop-down list, choose the quarantine enabled interface.

d. To configure SNMP NAC support for this AP group, select SNMP NACfrom the Nac State drop-down list. To disable NAC out-of-band support, select None from the Nac State drop-down list, which is the default value.

e. Click Apply to commit your changes.

Step 4 To see the current state of the client (either Quarantine or Access), follow these steps:

a. Choose Monitor > Clients to open the Clients. Perform a search for Clients.

b. Click the MAC address of the desired client to open the Clients > Detail page. The NAC state appears as access, invalid, or quarantine in the Security Information section.

Configuring Wired Guest Access

Wired Guest Access enables guest users to connect to the guest access network from a wired Ethernet connection designated and configured for guest access. Wired guest access ports might be available in a guest office or specific ports in a conference room.

Wired Guest Access can be configured in a standalone configuration or in a dual controller configuration employing an anchor and foreign controller. This latter configuration is used to further isolate wired guest access traffic but is not required for deployment of wired guest access.

The wired guest traffic is then trunked from the access switch to a wireless LAN controller. This controller is configured with an interface that is mapped to a wired guest access VLAN on the access switch.

If two controllers are being used, the controller (foreign) that receives the wired guest traffic from the switch then forwards the wired guest traffic to an anchor controller that is also configured for wired guest access. After successful hand off of the wired guest traffic to the anchor controller, a bidirectional Ethernet over IP (EoIP) tunnel is established between the foreign and anchor controllers to handle this traffic.

Note Although wired guest access is managed by anchor and foreign anchors when two controllers are deployed, mobility is not supported for wired guest access clients. In this case, DHCP and web authentication for the client are handled by the anchor controller.

Note You can specify how much bandwidth a wired guest user is allocated in the network by configuring and assigning a role and bandwidth contract. For details on configuring these features, see the "Configuring a Guest Account" section.

To configure and enable wired guest user access on the network, follow these steps:

Step 8 Choose Add a WLAN from the Select a command drop-down list, and click Go.

Step 9 If you have a template established that you want to apply to this controller, choose the guest LAN template name from the drop-down list. Otherwise, click the click here link to create a new template.

Step 10 In the WLAN > New Template general page, enter a name in the Profile Name text box that identifies the guest LAN. Do not use any spaces in the name entered.

Step 11 Select the Enabled check box for the WLAN Status parameter.

Step 12 From the Ingress Interface drop-down list, choose the VLAN that you created in Step 3. This VLAN provides a path between the wired guest client and the controller by way of the Layer 2 access switch.

Step 13 From the Egress Interface drop-down list, choose the name of the interface. This WLAN provides a path out of the controller for wired guest client traffic.

Note If you have only one controller in the configuration, choose management from the Egress Interface drop-down list.

a. To change the security policy to passthrough, select the Web Policy check box and select the Passthrough radio button. This option allows users to access the network without entering a username or password.

An Email Inputcheck box appears. Select this check box if you want users to be prompted for their email address when attempting to connect to the network.

When the Web Auth Type drop-down list appears, choose one of the following options to define the web login page for the wireless guest users:

Default Internal—Displays the default web login page for the controller. This is the default value.

Customized Web Auth—Displays custom web login, login failure, and logout pages. When the customized option is selected, three separate drop-down lists for login, login failure, and logout page selection appear. You do not need to define a customized page for all three of the options. Choose None from the appropriate drop-down list if you do not want to display a customized page for that option.

External—Redirects users to an external server for authentication. If you choose this option, you must also enter the URL of the external server in the URL text box.

You can select specific RADIUS or LDAP servers to provide external authentication in the Security > AAA pane. To do so, continue with Step 17.

Note The RADIUS and LDAP external servers must be already configured to have selectable options in the Security > AAA pane. You can configure these servers on the RADIUS Authentication Servers, TACACS+ Authentication Servers page, and LDAP Servers page.

Step 15 If you selected External as the Web Authentication Type in Step 15, choose Security > AAA and choose up to three RADIUS and LDAP servers using the drop-down lists.

Step 16 Click Save.

Step 17 Repeat this process if a second (anchor) controller is being used in the network.

Configuring Controller Spanning Tree Protocol Parameters

Spanning Tree Protocol (STP) is a link management protocol that provides path redundancy while preventing undesirable loops in the network.

To view or manage current STP parameters, follow these steps:

Step 1 Choose Configure > Controllers.

Step 2 Click the IP addressof the applicable controller.

Step 3 From the left sidebar menu, choose System > Spanning Tree Protocol. The Spanning Tree Protocol page displays the following parameters:

•Protocol Spec—The current protocol specification.

•Admin Status—Check this check box to enable.

•Priority—The numerical priority number of the ideal switch.

•Maximum Age (seconds)—The amount of time (in seconds) before the received protocol information recorded for a port is discarded.

•Hello Time (seconds)—Determines how often (in seconds) the switch broadcasts its hello message to other switches.

•Forward Delay (seconds)—The time spent (in seconds) by a port in the learning/listening states of the switches.

Configuring Controller Mobility Groups

By creating a mobility group, you can enable multiple network controllers to dynamically share information and forward data traffic when inter-controller or inter-subnet roaming occurs. Controllers can share the context and state of client devices and controller loading information. With this information, the network can support inter-controller wireless LAN roaming and controller redundancy.

Note If it is possible for a wireless client in your network to roam from an access point joined to one controller to an access point joined to another controller, both controllers should be in the same mobility group.

Messaging Among Mobility Groups

The controller provides inter-subnet mobility for clients by sending mobility messages to other member controllers:

•There can be up to 72 members in the list with up to 24 in the same mobility group.

•The controller sends a Mobile Announce message to members in the mobility list each time a new client associates to it.

•In NCS and controller software release 5.0, the controller uses multicast mode to send the Mobile Announce messages. This allows the controller to send only one copy of the message to the network, which delivers it to the multicast group containing all the mobility members.

Note For more information regarding mobility groups, see the Cisco Network Control System Configuration Guide.

Mobility Group Prerequisites

Before you add controllers to a mobility group, you must verify that the following requirements have been met for all controllers that are to be included in the group:

•All controllers must be configured for the same CAPWAP transport mode (Layer 2 or Layer 3).

•IP connectivity must exist between the management interfaces of all devices.

•All controllers must be configured with the same mobility group name.

•All devices must be configured with the same virtual interface IP address.

•Availability of MAC and IP addresses of each controller to be included in the mobility group (to configure the controllers with the MAC address and IP address of all the other mobility group members).

Viewing Current Mobility Group Members

To view current mobility group members, follow these steps:

Step 1 Choose Configure > Controllers.

Step 2 Click the IP addressof the applicable controller.

Step 3 From the left sidebar menu, choose System > Mobility Groups.

Note To delete a group member, select a check box for the applicable group member, choose Delete Group Members, and click Go.

Adding Mobility Group Members from a List of Controllers

To add a mobility group member from a list of existing controllers, follow these steps:

Step 1 Choose Configure > Controllers.

Step 2 Click the IP addressof the applicable controller.

Step 3 From the left sidebar menu, choose System > Mobility Groups.

Step 4 From the Select a command drop-down list, choose Add Group Members.

Step 5 Click Go.

Step 6 Select the check box(es) for the controller to be added to the mobility group.

Step 7 Click Save.

Manually Adding Mobility Group Members

If no controllers were found to add to the mobility group, you can add members manually. To manually add members to the mobility group, follow these steps:

Step 1 Click the click here link from the Mobility Group Member details page.

Step 2 In the Member MAC Address text box, enter the MAC address of the controller to be added.

Step 3 In the Member IP Address text box, enter the management interface IP address of the controller to be added.

Note If you are configuring the mobility group in a network where Network Address Translation (NAT) is enabled, enter the IP address sent to the controller from the NAT device rather than the controller management interface IP address. Otherwise, mobility fails among controllers in the mobility group.

Step 4 Enter the multicast group IP address to be used for multicast mobility messages in the Multicast Address text box. The local mobility member group address must be the same as the local controller group address.

Step 5 In the Group Name text box, enter the name of the mobility group.

Step 6 Click Save.

Step 7 Repeat the Steps 1 through 6 for the remaining WLC devices.

Setting the Mobility Scalability Parameters

Note Mobility Groups must be configured prior to setting the mobility scalability parameters.

To set the mobility message parameters, follow these steps:

Step 1 Choose Configure > Controllers.

Step 2 Choose an IP address of a controller whose software version is 5.0 or later.

Step 3 From the left sidebar menu, choose System > General.

Step 4 At the Multicast Mobility Mode parameter, specify if you want to enable or disable the ability for the controller to use multicast mode to send Mobile Announce messages to mobility members.

Step 5 If you enabled multicast messaging by setting multicast mobility mode to enabled, you must enter the group IP address at the Mobility Group Multicast-address parameter to begin multicast mobility messaging. You must configure this IP address for the local mobility group but it is optional for other groups within the mobility list. If you do not configure the IP address for other (non-local) groups, the controllers use unicast mode to send mobility messages to those members.

Step 6 Click Save.

Configuring Controller Network Time Protocol

To add a new NTP Server, follow these steps:

Step 1 Choose Configure > Controllers.

Step 2 Click the IP addressof the applicable controller.

Step 3 From the left sidebar menu, choose System > Network Time Protocol.

Step 6 From the Select a template to apply to this controller drop-down list, select the applicable template to apply to this controller.

Command Buttons

•Apply

•Cancel

To create a New Template for NTP Servers, use the click here link to access the template creation page (Configure NTP Servers > New Template).

NTP general parameters include:

•Template Name—Enter the new NTP Template name.

Note Template Name is the unique key used to identify the template. A template name is mandatory to distinguish between two templates that have identical key attributes.

•Server Address—Enter the NTP server IP address.

•No. of Controllers Applied To—Number of controllers to which this template is applied (read-only).

Background Scanning on 1510s in Mesh Networks

Background scanning allows Cisco Aironet 1510 Access Points to actively and continuously monitor neighboring channels for more optimal paths and parents. Because the access points are searching on neighboring channels as well as the current channel, the list of optimal alternate paths and parents is greater.

Identifying this information prior to the loss of a parent results in a faster transfer and the best link possible for the access points. Additionally, access points might switch to a new channel if a link on that channel is found to be better than the current channel in terms of fewer hops, stronger signal-to-noise ratio (SNR), and so on.

Background scanning on other channels and data collection from neighbors on those channels are performed on the primary backhaul between two access points:

The primary backhaul for 1510s operate on the 802.11a link.

Background scanning is enabled on a global basis on the access point's associated controller.

Note Latency might increase for voice calls when they are switched to a new channel.

Note In the EMEA regulatory domain, locating neighbors on other channels might take longer given DFS requirements.

Background Scanning Scenarios

A few scenarios are provided below to better illustrate how background scanning operates.

In Figure 9-4, when the mesh access point (MAP1) initially comes up, it is aware of both root access points (RAP1 and RAP2) as possible parents. It chooses RAP2 as its parent because the route through RAP2 is better in terms of hops, SNR, and so on. After the link is established, background scanning (once enabled) continuously monitors all channels in search of a more optimal path and parent. RAP2 continues to act as parent for MAP1 and communicates on channel 2 until either the link goes down or a more optimal path is located on another channel.

Figure 9-4 Mesh Access Point (MAP1) Selects a Parent

In Figure 9-5, the link between MAP1 and RAP2 is lost. Data from ongoing background scanning identifies RAP1 and channel 1 as the next best parent and communication path for MAP1 so that link is established immediately without the need for additional scanning after the link to RAP2 goes down.

Figure 9-5 Background Scanning Identifies a New Parent

Enabling Background Scanning

To enable background scanning on an AP1510 RAP or MAP, follow these steps:

•Router Addresses—Enter which IP addresses are already in use and should therefore be excluded. For example, you should enter the IP address of your company router. In doing so, this IP address will be blocked from use by another client.

•DNS Servers—Enter the IP address of the DNS server(s). Each DNS server must be able to update a client DNS entry to match the IP address assigned by this DHCP scope.

•NetBios Servers—Enter the IP address of the Microsoft Network Basic Input Output System (NetBIOS) name server(s), such as a Windows Internet Naming Service (WINS) server.

Configuring a Global Access Point Password

The AP Username Password page enables you to set a global password that all access points inherit as they join a controller. When you are adding an access point, you can also choose to accept this global username and password or override it on a per-access point basis. See the "Configuring AP Configuration Templates" section to view where the global password is displayed and how it can be overridden on a per-access point basis.

Also in controller software release 5.0, after an access point joins the controller, the access point enables console port security and you are prompted for your username and password whenever you log into the access point console port. When you log in, you are in non-privileged mode and you must enter the enable password in order to use the privileged mode.

To establish a global username and password, follow these steps:

Step 1 Choose Configure > Controllers.

Step 2 Click an IP address of a controller with a version of 5.0 or later.

Step 3 From the left sidebar menu, choose System > AP Username Password.

Step 4 Enter the username and password that you want to be inherited by all access points that join the controller.

Note For Cisco IOS access points, you must also enter and confirm an enable password.

Step 5 Click Save.

Configuring Global CDP

Cisco Discovery Protocol (CDP) is a device-discovery protocol that runs on all Cisco network equipment. Each device sends identifying messages to a multicast address, and each device monitors the messages sent by other devices.

Note CDP is enabled on the bridge's Ethernet and radio ports by default.

Note Global Interface CDP Configuration will be applied to only the APs with CDP enabled at AP level.

To configure a Global CDP, perform the following steps:

Step 1 Choose Configure > Controllers.

Step 2 Choose the IP address of the desired controller.

Step 3 From the left sidebar menu, choose System > Global CDP Configuration from the left sidebar menu. The Global CDP Configuration page appears.

Step 4 In the Global CDP portion of the page, specify the following parameters:

•CDP on controller—Choose enable or disable CDP on the controller.

Note This configuration cannot be applied on WISM2 controllers.

•Global CDP on APs—Choose to enable or disable CDP on the access points.

•Refresh-time Interval (seconds)—At the Refresh Time Interval parameter, enter the time in seconds at which CDP messages are generated. The default is 60.

•Holdtime (seconds)—Enter the time in seconds before the CDP neighbor entry expires. The default is 180.

•CDP Advertisement Version—Enter which version of the CDP protocol to use. The default is v1.

Step 5 In the CDP for Ethernet Interfaces portion of the page, select the slots of Ethernet interfaces for which you want to enable CDP.

Note CDP for Ethernet Interfaces fields are supported for controller version 7.0.110.2 onwards.

Step 6 In the CDP for Radio Interfaces portion of the page, select the slots of Radio interfaces for which you want to enable CDP.

Note CDP for Radio Interfaces fields are supported for controller version 7.0.110.2 onwards.

Step 7 Click Save.

Configuring AP 802.1X Supplicant Credentials

You can configure 802.1X authentication between lightweight access points and the switch. The access point acts as an 802.1X supplicant and is authenticated by the switch using EAP-FAST with anonymous PAC provisioning. You can set global authentication settings that all access points inherit as they join the controller. This includes all access points that are currently joined to the controller and any that join in the future.

Note To set format for RemoteID field in DHCP option 82: If `Ap-Mac' is selected, then set the RemoteID format as <AP-Mac>. If `Ap-Mac-ssid' is selected, then set the RemoteID format as <AP-Mac>:<SSID>.

•DHCP Proxy—Select the check box to enable DHCP by proxy.

Note When DHCP proxy is enabled on the controller, the controller unicasts DHCP requests from the client to the configured servers. Consequently, at least one DHCP server must be configured on either the interface associated with the WLAN or the WLAN itself.

Step 5 Enter the DHCP Timeout in seconds after which the DHCP request will time out. The default setting is 5. Allowed values range from 5 to 120 seconds.

Note DHCP Timeout is applicable from the controller version 7.0.114.74 onwards.

Step 8 Choose Enable from the Multicast Mobility Mode drop-down list to change the IGMP snooping status or to set the IGMP timeout. When IGMP snooping is enabled, the controller gathers IGMP reports from the clients and then sends each access point a list of the clients listening to any multicast group. The access point then forwards the multicast packets only to those clients.

The timeout interval has a range of 3 to 300 and a default value of 60. When the timeout expires, the controller sends a query to all WLANs. Those clients which are listening in the multicast group then send a packet back to the controller.

Step 9 If you enabled the Multicast Mobility Mode, enter the mobility group multicast address.

Step 10 Select the Multicast Direct feature check box to enable videos to be streamed over a wireless network.

Step 11 Specify the Session Banner information, which is the error information sent to the client if the client is denied or dropped from a Media Stream.

a. State—Select the check box to activate the Session Banner. If not activated, the Session Banner is not sent to the client.

Access Point Timer Settings for Local Mode

To reduce the failure detection time, you can configure the fast heartbeat interval (between the controller and the access point) with a smaller timeout value. When the fast heartbeat timer expires (at every heartbeat interval), the access point determines if any data packets have been received from the controller within the last interval. If no packets have been received, the access point sends a fast echo request to the controller. You can then enter a value between 10 and 15 seconds.

Access Point Timer Settings for HREAP Mode

Once selected, you can configure the HREAP timeout value. Select the AP Primary Discovery Timeout check box to enable the timeout value. Enter a value between 30 and 3600 seconds.

Note 5500 series controllers accept access point fast heartbeat timer values in the range of 10-15. All other controller models support a range of 1-10.

Configuring Controller WLANs

Since controllers can support 512 WLAN configurations, NCS provides an effective way to enable or disable multiple WLANs at a specified time for a given controller.

To view a summary of the wireless local access networks (WLANs) that you have configured on your network, follow these steps:

General Tab

Note Depending on the WLAN template used for this controller, these parameters may or may not be available.

•Guest LAN—Indicates whether or not this WLAN is a Guest LAN.

•Profile Name

•SSID

•Status—Select the Enabled check box to enable this WLAN.

Note To configure a start time for the WLAN status to be enabled, select the Schedule Status check box. Select the hours and minutes from the drop-down lists. Click the calendar icon to select the applicable date.

•Schedule Status

•Security Policies—Identifies the security policies set using the Security tab (includes security policies such as None, 802.1X, Static WEP, Static WEP-802.1X, WPA+WPA2, and CKIP). Changes to the security policies appear in this section after the page is saved.

•Radio Policy—Choose from the drop-down list.

–All, 802.11a only, 802.11g only, 802.11b/g only, 802.11a/g only.

•Interface/Interface Group—Select from the drop-down list.

•Broadcast SSID—Select the check box to enable.

•Egress Interface—Select the name of the applicable interface. This WLAN provides a path out of the controller for wired guest client traffic.

Note If you only have one controller in the configuration, choose Management from the Egress Interface drop-down list.

•Ingress Interface—Select the applicable VLAN from the drop-down list. This interface provides a path between the wired guest client and the controller by way of the Layer 2 access switch.

Security Tab

Layer 2 Security

Use the Layer 2 Security drop-down list to choose between None, 802.1x, Static WEP, Cranite, Static WEP-802.1x, WPA1+WPA2, and CKIP. These parameters are described in the Table 9-2.

MAC Filtering—Select the check box if you want to filter clients by MAC address.

Table 9-2 Layer 2 Security Options

Parameter

Description

None

No Layer 2 security selected.

802.1x

802.11 Data Encryption:

•Type—WEP

•Key Size—40, 104, or 128 bits.

Static WEP

802.11 Data Encryption:

•Type

•Key Size—not set, 40, 104, or 128 bits.

•Key Index—1 to 4.

•Encryption Key

•Encryption Key Format—ASCII or HEX.

•Allowed Shared Key Authentication—Select the check box to enable.

Cranite

Configure the WLAN to use the FIPS140-2 compliant Cranite Wireless Wall Software Suite, which uses AES encryption and VPN tunnels to encrypt and verify all data frames carried by the Cisco Wireless LAN Solution.

Static WEP-802.1X

Use this setting to enable both Static WEP and 802.1X policies. If this option is selected, static WEP and 802.1X parameters are displayed at the bottom of the page.

Static WEP encryption parameters:

•802.11 Data Encryption

–Type

–Key Size—not set, 40, 104, or 128 bits.

–Key Index—1 to 4.

–Encryption Key

–Encryption Key Format—ASCII or HEX.

•Allowed Shared Key Authentication—Select the check box to enable.

802.1X parameters:

•802.11 Data Encryption

–Type

–Key Size—40, 104, or 128 bits.

WPA+WPA2

Use this setting to enable WPA, WPA2, or both. WPA enables Wi-Fi Protected Access with TKIP-MIC Data Encryption or AES. When WPA+WPA2 is selected, you can use Cisco's Centralized Key Management (CCKM) authentication key management, which allows fast exchange when a client roams from one access point to another.

When WPA+WPA2 is selected as the Layer 2 security policy and Pre-Shared Key is enabled, neither CCKM or 802.1X can be enabled; although, both CCKM and 802.1X can be enabled at the same time.

WPA+WPA2 parameters:

•WPA1—Select the check box to enable.

•WPA2—Select the check box to enable.

Authentication Key Management:

•802.1X—Select the check box to enable.

•CCKM—Select the check box to enable.

•PSK—Select the check box to enable.

CKIP

Cisco Key Integrity Protocol. A Cisco access point advertises support for CKIP in beacon and probe response packets. CKIP can be configured only when Aironet IE is enabled on the WAN.

Note CKIP is not supported on 10xx access points.

CKIP parameters:

•802.11 Data Encryption

–Type

–Key Size—not set, 40, 104, or 128 bits.

–Key Index—1 to 4.

–Encryption Key

–Encryption Key Format—ASCII or HEX.

•MMH Mode—Select the check box to enable.

•Key Permutation—Select the check box to enable.

Layer 3 Security

Use the Layer 3 Security drop-down list to choose between None, VPN Pass Through, and IPsec (Internet Protocol Security). The page parameters change according to the selection you make.

Note Depending on the type of WLAN, the Layer 3 parameters may or may not be available.

Note If you choose VPN pass through, you must enter the VPN gateway address.

Note IPsec is a suite of protocols for securing IP communications by authenticating and/or encrypting each IP packet in a data stream. IPsec also includes protocols for establishing cryptographic keys.

Web Policy—Select the check box to specify policies such as authentication, pass through, or conditional web redirect. This section also allows you to enable guest users to view customized login pages.

Note If you choose Pass Through, the Email Input check box appears. Select this check box if you want users to be prompted for their email addresses when attempting to connect to the network.

Note If External is selected, you can select up to three RADIUS and LDAP servers from the Security > AAA page. See the "AAA Servers" section for more information.

AAA Servers

Select RADIUS and LDAP servers to override use of default servers on the current WLAN.

–RADIUS Servers—Use the drop-down lists to choose authentication and accounting servers. With this selection, the default RADIUS server for the specified WLAN overrides the RADIUS server that is configured for the network. If all three RADIUS servers are configured for a particular WLAN, server 1 has the highest priority, and so on.

–LDAP Servers—If no LDAP servers are chosen from the drop-down lists, NCS uses the default LDAP server order from the database.

–Local EAP Authorization—Allows users and wireless clients to be authenticated locally. It is designed for use in remote offices that want to maintain connectivity to wireless clients when the back-end system becomes disrupted or the external authentication server fails.

Select the check box to enable if you have an EAP profile configured. Select the profile from the drop-down list.

–Allow AAA Override—When enabled, if a client has conflicting AAA and controller WLAN authentication parameters, client authentication is performed by the AAA server.

As part of this authentication, the operating system moves clients from the default Cisco WLAN solution to a VLAN returned by the AAA server and predefined in the controller interface configuration (only when configured for MAC filtering, 802.1X, or WPA operation).

In all cases, the operating system also uses QoS and ACL provided by the AAA server as long as they are predefined in the controller interface configuration. (This VLAN switching by AAA override is also referred to as identity networking.)

When AAA override is disabled, all client authentication defaults to the controller authentication parameter settings, and authentication is only performed by the AAA server if the controller WLANs do not contain any client-specific authentication parameters.

QoS Tab

–Services such as VoIP should be set to gold. Non-discriminating services such as text messaging can be set to bronze.

•WMM Parameters

–WMM Policy—Choose Disabled, Allowed (to allow clients to communicate with the WLAN), or Required (to make it mandatory for clients to have WMM enabled for communication).

–7920 AP CAC—Select the check box to enable support on Cisco 7920 phones.

–7920 Client CAC—Select the check box to enable WLAN support for older versions of the software on 7920 phones. The CAC limit is set on the access point for newer versions of software.

Advanced Tab

•H-REAP Local Switching—Select the check box to enable Hybrid REAP local switching. When enabled, the H-REAP access point handles client authentication and switches client packets locally. See the "Configuring Hybrid REAP" section for more information.

Note H-REAP local switching applies only to Cisco 1130/1240/1250 series access points. It is not supported with L2TP, PPTP, CRANITE, and FORTRESS authentications. It does not apply to WLAN IDs 9-16.

•Enable H-REAP local authentication by selecting the H-REAP Local Auth check box.

Local authentication is useful where you cannot maintain the criteria a remote office setup of minimum bandwidth of 128 kbps with the roundtrip latency no greater than 100 ms and the maximum transmission unit (MTU) no smaller than 500 bytes. In local switching, the authentication capabilities are present in the access point itself. Thus local authentication reduces the latency requirements of the branch office.

Note Local authentication can only be enabled on the WLAN of a HREAP AP that is in local switching mode.

Local authentication is not supported in the following scenarios:

–Guest Authentication cannot be performed on a HREAP local authentication enabled WLAN.

–RRM information is not available at the controller for the hybrid REAP local authentication enabled WLAN.

–Local radius is not supported.

–Once the client has been authenticated, roaming will only be supported after the WLC and the other hybrid REAPs in the group are updated with the client information.

•Session Timeout (secs)—Set the maximum time a client session can continue before re-authentication.

•Aironet IE—Select the check box to enable support for Aironet information elements (IEs) for this WLAN.

–If Aironet IE support is enabled, the access point sends an Aironet IE 0x85 (which contains the access point name, load, number of associated clients, and so on) in the beacon and probe responses of this WLAN, and the controller sends Aironet IEs 0x85 and 0x95 (which contains the management IP address of the controller and the IP address of the access point) in the reassociation response if it receives Aironet IE 0x85 in the association request.

•IPv6—Select the check box to enable IPv6.

Note Layer 3 security must be set to None for IPv6 to be enabled.

•Diagnostic Channel—Click to enable the diagnostics. When enabled, clients can connect to this WLAN for diagnostic purposes.

Note The results of the diagnostic tests are stored in the SNMP table, and NCS polls these tables to display the results.

•Override Interface ACL—Select a defined access control list (ACL) from the drop-down list. When the ACL is selected, the WLAN associates the ACL to the WLAN.

–This option allows users to configure peer-to-peer blocking for individual clients rather than universally for all WLAN clients.

•Client Exclusion—Select the check box to enable automatic client exclusion. If it is enabled, set the timeout value in seconds for disabled client machines.

–Client machines are excluded by MAC address, and their status can be observed.

–A timeout setting of 0 indicates that administrative control is required in order to re-enable the client.

Note When session timeout is not set, the excluded client remains and will not time out from the excluded state. It does not imply that the exclusion feature is disabled.

•Media Session Snooping—Click to enable Media Session Snooping. This feature enables access points to detect the establishment, termination, and failure of voice calls and then report them to the controller and NCS. It can be enabled or disabled for each WLAN.

When media session snooping is enabled, the access point radios advertise this WLAN snoop for Session Initiation Protocol (SIP) voice packets. Any packets destined to or originating from port number 5060 are considered for further inspection. The access point tracks whether Wi-Fi Multimedia (WMM) and non-WMM clients are establishing a call, already on an active call, or in the process of ending a call and then notify the controller of any major call events.

•NAC State—From the NAC State drop-down list, choose SNMP NAC or Radius NAC. SIP errors that are discovered generate traps that appear on the client troubleshooting and alarms screens. The controller can integrate with the NAC appliance in out-of-band mode, where the NAC appliance remains in the data path only until clients have been analyzed and cleaned. Out-of-band mode reduces the traffic load on the NAC appliance and enables centralized NAC processing. See the "NAC Integration" section for more information.

Passive clients are wireless devices like scales and printers that are configured with a static IP address. These clients do not transmit any IP information such as IP address, subnet mask, and gateway information during association with an access point. As a result, when passive clients are used, the controller will never know the IP address unless they use DHCP.

Wireless LAN controllers currently act as a proxy for ARP requests. On receiving an ARP request, the controller responds with an ARP response instead of passing the request directly to the client. This has two advantages:

–The upstream device that sends out the ARP request to the client cannot know where the client is located.

–Reserves power for battery-operated devices like mobile phones and printers as they do not need to respond to every ARP request.

Because the wireless controller does not have any IP-related information about passive clients, it cannot respond to any ARP requests. The current behavior does not allow the transfer of ARP requests to passive clients. Therefore, any application that tries to access a passive client will fail.

This feature enables ARP requests and responses to be exchanged between wired and wireless clients on a per-VLAN/WLAN basis. This feature enables the user to mark a desired WLAN for presence of proxy ARP thereby enabling the controller to pass the ARP requests until the client gets to RUN state.

Note This feature is supported only on the 5500 and 2100 series controllers.

•DTIM Period (in beacon intervals)—For 802.11a/n and 802.11b/g/n, specify the frequency of the DTIM packet sent in the wireless medium. This period can be configured for every WLAN (except guest WLAN) on all version 6.0 and above controllers.

•DHCP

–DHCP Server—Select the check box to override the DHCP server, and enter the IP address of the DHCP server.

Note For some WLAN configurations, this setting is required.

–DHCP Addr. Assignment—If you select the Required check box, clients connected to this WLAN will get an IP address from the default DHCP server.

•Management Frame Protection (MFP)

–MFP Signature Generation—If the check box is selected, it enables signature generation for the 802.11 management frames transmitted by an access point associated with this WLAN. With signature generation, changes to the transmitted management frames by an intruder are detected and reported.

Note Client-side MFP is available only for those WLANs configured to support CCXv5 (or later) clients. In addition, WPA1 must first be configured.

•Foreign Controller Mapping—Click this link to configure foreign controller mappings. This will take you to the Foreign Controller configuration page. In this configuration page, choose a foreign controller from the Foreign Controller drop-down list and choose an interface or interface group from the Interface/Interface Group drop-down list. After choosing the required options, click Add to complete the adding of a foreign controller.

Mobility Anchors

Mobility anchors are one or more controllers defined as anchors for the WLAN. Clients (802.11 mobile stations such as a laptop) are always attached to one of the anchors.

This feature can be used to restrict a WLAN to a single subnet, regardless of the client's entry point into the network. In this way, users can access a public or guest WLAN throughout an enterprise but still be restricted to a specific subnet. Guest WLAN can also be used to provide geographical load balancing because WLANs can represent a particular section of a building (such as a lobby, restaurant, and so on).

When a client first associates to a controller of a mobility group that has been preconfigured as a mobility anchor for a WLAN, the client associates to the controller locally, and a local session is created for the client. Clients can be anchored only to preconfigured anchor controllers of the WLAN. For a given WLAN, you should configure the same set of anchor controllers on all controllers in the mobility group.

When a client first associates to a controller of a mobility group that has not been configured as a mobility anchor for a WLAN, the client associates to the controller locally, a local session is created for the client, and the controller is announced to the other controllers in the same mobility group. If the announcement is not answered, the controller contacts one of the anchor controllers configured for the WLAN and creates a foreign session for the client on the local switch. Packets from the client are encapsulated and delivered to the wired network. Packets to the client are received by the anchor controller and forwarded to the foreign controller through a mobility tunnel using EitherIP. The foreign controller decapsulates the packets and forwards them to the client.

Note A 2000 series controller cannot be designated as an anchor for a WLAN. However, a WLAN created on a 2000 series controllers can have a 4100 series controller or a 4400 series controller as its anchor.

Note The L2TP Layer 3 security policies are unavailable for WLANs configured with a mobility anchor.

To view the real time status of mobility anchors for a specific WLAN, follow these steps:

Configuring WLANs AP Groups

Site-specific VLANs or AP groups limit the broadcast domains to a minimum by segmenting a WLAN into different broadcast domains. Benefits of this include more effective management of load balancing and bandwidth allocation.

To open this page, follow these steps:

Step 1 Choose Configure > Controllers.

Step 2 Click a controller IP address.

Step 3 From the left sidebar menu, choose WLAN > AP Groups.

This page displays a summary of the AP groups configured on your network. From here you can add, remove, or view details of an AP group. Click the AP group name on the Access Points tab to view or edit its access point(s). Click the WLAN Profiles tab to view, edit, add, or delete WLAN profiles.

Adding Access Point Groups

To add a new access point group, follow these steps:

Step 1 Choose Configure > Controllers.

Step 2 Click a controller IP address.

Step 3 From the left sidebar menu, choose WLAN > AP Groups.

Note AP Groups (for 5.2 and later controllers) is referred to as AP Group VLANs for controllers prior to 5.2.

In the AP Groups details page, you can add access points and WLAN profiles to this access point group.

Step 6 Enter a name and group description for the access point group.

Note The group description is optional.

Step 7 To add access points to the group, follow these steps:

a. Click the Access Points tab.

b. Click Add. The access point page displays parameters for available access points. Click the access point name to view or edit parameters for one of the available access points.

c. Select the check box(es) of the access point(s) you want to add.

d. Click Select.

Step 8 To add a WLAN profile to this group, follow these steps:

a. Click the WLAN Profiles tab.

Note Each access point is limited to sixteen WLAN profiles. Each access point broadcasts all WLAN profiles unless the WLAN override feature is enabled. The WLAN override feature allows you to disable any of the 16 WLAN profiles per access point.

Note The WLAN override feature applies only to older controllers that do not support the 512 WLAN feature (can support up to 512 WLAN profiles).

Note OfficeExtend access points are limited to fifteen WLAN profiles because one is reserved as the personal or local SSID for the OfficeExtend access point.

Step 9 Enter a WLAN profile name or choose one from the WLAN Profile Name drop-down list.

Step 10 Choose the interface or interface group from the Interface/Interface Group drop-down list.

Auditing Access Point Groups

You can audit the access point group to determine if the NCS and device values differ.

To audit an access point group, follow these steps:

Step 1 Choose Configure > Controllers.

Step 2 Click a controller IP address.

Step 3 From the left sidebar menu, choose WLAN > AP Groups.

Step 4 Click the name of the access point group that you want to audit.

Note Click Audit located at the bottom of the page.

Configuring Hybrid REAP Parameters

Hybrid REAP enables customers to configure and control access points in a branch or remote office from the corporate office through a wide area network (WAN) link without deploying a controller in each office. There is no deployment restriction on the number of hybrid-REAP access points per location. The hybrid-REAP access points can switch client data traffic locally and perform client authentication locally when their connection to the controller is lost. When they are connected to the controller, they can also send traffic back to the controller.

•Group Name—The name of the H-REAP AP group. Click the group name to view its details.

Note Use the check box to select a group for deletion.

Configuring a H-REAP AP Group

To configure a hybrid-REAP access point group, follow these steps:

Step 1 Choose Configure > Controllers.

Step 2 Click theIP addressof the applicable controller.

Step 3 From the left sidebar menu, choose H-REAP > H-REAP AP Groups.

Step 4 From the Select a command drop-down list, click Add H-REAP AP Group to open theH-REAP APGroup > Add From Template pane.

Step 5 Select a template from the Select a template to apply to this controller drop-down list.

Step 6 Click Apply.

Note To make modifications to an existing H-REAP AP Group, click the existing group in the Group Name column of the H-REAP AP Group page.To delete an existing group, select the check box of the group you want to remove, and choose Delete H-REAP AP Group from the Select a command drop-down list.

Note If a RADIUS authentication server is not present on the controller, the NCS configured RADIUS server does not apply.

•H-REAP AP tab

–Ethernet MAC—Check this check box H-REAP AP to apply to the H-REAP group.

Note An AP Ethernet MAC address cannot exist in more than one H-REAP group on the same controller. The controller will not allow you to set an AP Ethernet MAC in a hybrid-REAP group if it is already present in another H-REAP group.

–Add AP—Click to add an additional H-REAP AP (present in the NCS) to an existing H-REAP group.

Step 8 If you want to enable local authentication for a hybrid-REAP group, click the H-REAP Configuration tab.

Note Make sure that the Primary RADIUS Server and Secondary RADIUS Server parameters are set to None on the General tab.

Step 9 Select the H-REAP Local Authentication Enable check box to enable local authentication for this hybrid-REAP group. The default value is unseelcted.

Step 10 To allow a hybrid-REAP access point to authenticate clients using LEAP, select the LEAP check box. Otherwise, to allow a hybrid-REAP access point to authenticate clients using EAP-FAST, select the EAP-FAST check box.

Step 11 Perform one of the following, depending on how you want protected access credentials (PACs) to be provisioned:

•To use manual PAC provisioning, enter the key used to encrypt and decrypt PACs in the EAP=FAST Key text box. The key must be 32 hexadecimal characters.

•To allow PACs to be sent automatically to clients that do not have one during PAC provisioning, select the Ignore Server Key check box.

Step 12 In the EAP-FAST Authority ID text box, enter the authority identifier of the EAP-FAST server. The identifier must be 32 hexadecimal characters.

Step 13 In the EAP-FAST Authority Info text box, enter the authority identifier of the EAP-FAST server in text format. You can enter up to 32 hexadecimal characters.

Step 14 In the EAP-FAST PAC Timeout text box, specify a PAC timeout value by entering the number of seconds for the PAC to remain visible in the edit text box. The valid range is 2 to 4095 seconds.

Note To see if an individual access point belongs to a hybrid-REAP group, click the Users configured in the group link. It advances you to the H-REAP AP Group page which shows the names of the groups and the access points that belong in it.

Auditing an H-REAP Group

If the H-REAP configuration changes over a period of time either on NCS or the controller, you can audit the configuration. The changes are visible in subsequent pages. You can specify to refresh NCS or the controller to synchronize the configuration.

This page displays TACACS+ servers currently used by this controller and contains the following parameters:

•Check box—Select the check box to choose a TACACS+ server for deletion.

•Server Type—The TACACS+ server type.

•Displays Accounting, Authorization, or Authentication.

•Server Index—A number assigned to identify the TACACS+ server and set its use priority.

•Click the index number to go the TACACS+ server configuration page.

•Server Address—The TACACS+ server IP address.

•Port Number—The port number used to communicate with the TACACS+ server.

•Admin Status—Server template status.

Indicates if use of the TACACS+ server template is enabled.

If the title of a column is a link, click it to toggle between ascending and descending order.

The Select a command drop-down list has the following options:

•Add TACACS+ Server—Choose this option, then click Go to add a TACACS+ server to the controller.

•Delete TACACS+ Servers—Choose this option, then click Go to delete all TACACS+ servers with a selected check box from the controller.

Configuring AAA Local Net Users

This page provides a summary of the existing local network user controllers for clients who are allowed to access a specific WLAN. This is an administrative bypass of the RADIUS authentication process. Layer 3 Web Authentication must be enabled. The client information is passed to the RADIUS authentication server first, and if the client information does not match a RADIUS database entry, this local database is polled. Clients located in this database are granted access to network services if the RADIUS authentication fails or does not exist.

–Custom Redirect URL—URL where the user is redirected after a successful authentication. For example, if the value entered for this text box is http://www.example.com, the user would be directed to the company home page.

•Customized Web Auth

You have the option of downloading an example login page and customizing the page. If you are using a customized web authentication page, it is necessary to download the example login.tar bundle file from the server, edit the login.html file and save it as either a .tar or .zip file, then download the .tar or .zip file to the controller.

Note If you disable password policy options, you will see a "'Disabling the strong password check(s) will be a security risk as it allows weak passwords" message.

Configure Controllers > IPaddr > Security > Local EAP

Local EAP is an authentication method that allows users and wireless clients to be authenticated locally. It is designed for use in remote offices that want to maintain connectivity to wireless clients when the backend system becomes disrupted or the external authentication server goes down.

When you enable local EAP, the controller serves as the authentication server and the local user database, making it independent of an external authentication server. Local EAP retrieves user credentials from the local user database or the LDAP backend database to authenticate users.

Configuring Local EAP General Parameters

This page allows you to specify a timeout value for local EAP. You can then add a template with this timeout value or make changes to an existing template.

Note If any RADIUS servers are configured on the controller, the controller tries to authenticate the wireless clients using the RADIUS servers first. Local EAP is attempted only if no RADIUS servers are found, either because the RADIUS servers timed out or no RADIUS servers were configured. If four RADIUS servers are configured, the controller attempts to authenticate the client with the first RADIUS server, then the second RADIUS server, and then local EAP. If the client attempts to then reauthenticate manually, the controller tries the third RADIUS server, then the fourth RADIUS server, and then local EAP.

To specify a timeout value for local EAP, follow these steps:

Step 1 Choose Configure > Controllers.

Step 2 Click theIP address of the applicable controller.

Step 3 From the left sidebar menu, choose Security > Local EAP > General - Local EAP.

Note Local Auth Active Timeout refers to the timeout period during which Local EAP will always be used after all Radius servers are failed.

Step 5 The following values should be adjusted if you are using EAP-FAST, manual password entry, one-time password, or 7920/7921 phones.

Note You must increase the 802.1x timeout values on the controller (default=2 seconds) for the client to obtain the PAC using automatic provisioning. We recommend the default timeout on the Cisco ACS server of 20 seconds.

•Local EAP Identify Request Timeout =1 (in seconds)

•Local EAP Identity Request Maximum Retries=20 (in seconds)

•Local EAP Dynamic Wep Key Index=0

•Local EAP Request Timeout=20 (in seconds)

•Local EAP Request Maximum Retries=2

•EAPOL-Key Timeout=1000 (in milli-seconds)

•EAPOL-Key Max Retries=2

•Max-Login Ignore Identity Response

Note Roaming fails if these values are not set the same across multiple controllers.

Step 6 Click Save.

Command Buttons

•Save—Click to save the current template.

•Apply to Controllers—Click to apply the current template to controllers. In the Apply to Controllers page, choose the applicable controllers, and click OK.

•Delete—Click to delete the current template. If the template is currently applied to controllers, click OK to confirm that you want to remove the template from the selected controllers to which it is applied.

•Cancel—Click to cancel the current template creation or changes to the current template.

Configuring Local EAP Profiles

This page allows you to apply a template for a local EAP profile or make modifications to an existing template.

Note The LDAP backend database supports only these local EAP methods: EAP-TLS and EAP-FAST with certificates. LEAP and EAP-FAST with PACs are not supported for use with the LDAP backend database.

Viewing Existing Local EAP Profiles

Step 3 From the left sidebar menu, choose Security > Local EAP > Local EAP Profiles. The Local EAP Profiles page displays the following parameters:

•EAP Profile Name—User-defined identification.

•LEAP—Authentication type that leverages Cisco Key Integrity Protocol (CKIP) and MMH message integrity check (MIC) for data protection. A username and password are used to perform mutual authentication with the RADIUS server through the access point.

Managing Manually Disabled Clients

Clients who fail to authenticate three times when attempting to associate are automatically blocked, or excluded, from further association attempts for an operator-defined timeout. After the Excluded timeout, the client is allowed to retry authentication until it associates or fails authentication and is excluded again.

Configure IPaddr > Access Control List > listname Rules

This page displays current access control list (ACL) rules applied to this access control list.

To access the Access Control Lists Rules page, follow these steps:

Step 1 Choose Configure > Controllers.

Step 2 Click the applicable IP address under the IP address column.

Step 3 From the left sidebar menu, choose Security> Access Control Lists.

Step 4 Click an ACL name.

•Check box—Select to delete access control list rules.

•Seq#—The operator can define up to 64 Rules for each ACL. The Rules for each ACL are listed in contiguous sequence from 1 to 64. That is, if Rules 1 through 4 are already defined and you add Rule 29, it will be added as Rule 5.

Note If you add or change a Sequence number, operating system adjusts the other rule sequence numbers to retain the contiguous sequence. For instance, if you have Sequence numbers 1 through 7 defined and change number 7 to 5, operating system automatically reassigns Sequence 6 to 7 and Sequence 5 to 6.

•Action—Permit, Deny.

•Source IP/Mask—Source IP address and mask.

•Destination IP/Mask—Destination IP address and mask.

•Protocol—Protocol to use for this ACL:

–Any—All protocols

–TCP—Transmission Control Protocol

–UDP—User Datagram Protocol

–ICMP—Internet Control Message Protocol

–ESP—IP Encapsulating Security Payload

–AH—Authentication Header

–GRE—Generic Routing Encapsulation

–IP—Internet Protocol

–Eth Over IP—Ethernet over Internet Protocol

–Other Port OSPF—Open Shortest Path First

–Other—Any other IANA protocol (http://www.iana.org/)

If TCP or UDP is selected, Source Port and Dest Port parameters appear:

The choices include: The wired side of the data traffic, the wireless side of the data traffic, or both wired and wireless.

Configuring the IDS Sensor List

When the sensors identify an attack, they alert the controller to shun the offending client. When you add a new IDS (Intrusion Detection System) sensor, you register the controller with that IDS sensor so that the sensor can send shunned client reports to the controller. The controller also polls the sensor periodically.

Configuring ID Certificates

This page lists the existing network ID certificates by certificate name. An ID certificate can be used by web server operators to ensure secure server operation. This section contains the following topics:

Caution Each certificate has a variable-length embedded RSA Key. The RSA key can vary from 512 bits, which is relatively insecure, through thousands of bits, which is very secure. When you are obtaining a new certificate from a certificate authority (such as the Microsoft CA), make sure the RSA key embedded in the certificate is at least 768 Bits.

•Rogue Location Discovery Protocol—RLDP determines whether or not the rogue is connected to the enterprise wired network. Choose one of the following from the drop-down list:

–Disable—Disables RLDP on all access points. This is the default value.

–All APs—Enables RLDP on all access points.

–Monitor Mode APs—Enables RLDP only on access points in monitor mode.

Note Make sure that rogue detection is enabled on the desired access points. Rogue detection is enabled by default for all access points joined to a controller (except for OfficeExtend access points). However, in NCS software Release 6.0 or later, you can enable or disable rogue detection for individual access points by selecting or unselecting the Rogue Detection check box in the Access Point Details page. See the "Configuring Access Points" section for more information.

Note Rogue detection is disabled by default for OfficeExtend access points because these access points, which are deployed in a home environment, are likely to detect a large number of rogue devices.

•Rogue APs

–Expiration Timeout for Rogue AP and Rogue Client Entries (seconds)—Enter the number of seconds after which the rogue access point and client entries expire and are removed from the list.

The valid range is 240 to 3600 seconds and the default value is 1200 seconds.

Note If a rogue access point or client entry times out, it is removed from the controller only if its rogue state is Alert or Threat for any classification type.

•Rogue Clients

–Validate rogue clients against AAA—Select the check box to use the AAA server or local database to validate if rogue clients are valid clients. The default value is unselected.

–Detect and report Adhoc networks—Select the check box to enable ad-hoc rogue detection and reporting. The default value is selected.

Command Buttons

•Save—Save the changes made to the client exclusion policies and return to the previous page.

•IP Theft Or Reuse—If enabled, clients are excluded if the IP address is already assigned to another device.

Step 4 Click Save to save the changes made to the client exclusion policies and return to the previous page or click Audit to compare the NCS values with those used on the controller.

Configuring IDS Signatures

You can configure IDS Signatures, or bit-pattern matching rules used to identify various types of attacks in incoming 802.11 packets, on the controller. When the signatures are enabled, the access points joined to the controller perform signature analysis on the received 802.11 data or management frames and report any discrepancies to the controller. If an attack is detected, an appropriate mitigation action is initiated.

Cisco supports 17 standard signatures on the controller as shown on the Standard Signatures and Custom Signatures pages. For more information on these IDS Signatures, see the Cisco Network Control System Configuration Guide.

Step 7 Choose Local Machine from the File is Located On. If you know the filename and path relative to the server root directory, you can also choose TFTPserver.

Step 8 Enter the maximum number of times the controller should attempt to download the signature file in the Maximum Retries.

Step 9 Enter the maximum amount of time in seconds before the controller times out while attempting to download the signature file in the Timeout.

Step 10 The signature files are uploaded to the c:\tftp directory. Specify the local file name in that directory or click the Browse button to navigate to it. A "revision" line in the signature file specifies whether the file is a Cisco-provided standard signature file or a site-tailored custom signature file (custom signature files must always have revision=custom).

Note If the transfer times out for some reason, you can simply choose the TFTP server option in the File Is Located On parameter, and the server file name will be populated for you and retried. The local machine option initiates a two-step operation. First, the local file is copied from the administrator workstation to NCS own built-in TFTP server. Then the controller retrieves that file. For later operations, the file is already in the NCS server TFTP directory, and the downloaded web page now automatically populates the filename.

Step 11 Click OK.

Uploading Signature Files

To upload a signature file from the controller, follow these steps:

Step 1 Obtain a signature file from Cisco (hereafter called a standard signature file). You can also create your own signature file (hereafter called a custom signature file) by following "Downloading Signature Files" section.

Step 2 Make sure you have a Trivial File Transfer Protocol(TFTP) server available for the signature download. Keep these guidelines in mind when setting up a TFTP server:

•If you are downloading through the service port, the TFTP server must be on the same subnet as the service port because the service port cannot be routed.

•If you are downloading through the distribution system network port, the TFTP server can be on the same or a different subnet because the distribution system port cannot be routed.

•A third-party TFTP server cannot run on the same computer as the Cisco NCS because NCS built-in TFTP server and third-party TFTP server use the same communication port.

Step 8 If the TFTP server is new, enter the TFTP IP address in the Server IP Address parameter.

Step 9 Choose Signature Files from the File Type drop-down list.

Step 10 The signature files are uploaded to the root directory which was configured for use by the TFTP server. You can change to a different directory at the Upload to File parameter (this parameter only shows if the Server Name is the default server). The controller uses this local file name as a base name and then adds _std.sig as a suffix for standard signature files and _custom.sig as a suffix for custom signature files.

Step 11 Click OK.

Global Settings for Standard and Custom Signatures

This command enables all signatures that were individually selected as enabled. If this text box remains unselected, all files will be disabled, even those that were previously enabled. When the signatures are enabled, the access points joined to the controller perform signature analysis on the received 802.11 data or management frames and report any discrepancies to the controller.

To enable all standard and custom signatures currently on the controller, follow these steps:

Step 1 Click an applicable Name for the type of attack you want to enable or disable.

The Standard Signature parameters page shows the list of Cisco-supplied signatures that are currently on the controller. The Custom Signatures page shows the list of customer-supplied signatures that are currently on the controller. The following parameters are displayed in both the signature page and the detailed signature page:

•Precedence—The order, or precedence, in which the controller performs the signature checks.

•Name—The type of attack the signature is trying to detect.

•Description—A more detailed description of the type of attack that the signature is trying to detect.

•Frame Type—Management or data frame type on which the signature is looking for a security attack.

•Action—What the controller is directed to do when the signature detects an attack. One possibility is None, where no action is taken, and another is Report, to report the detection.

•Frequency—The signature frequency or the number of matching packets per interval that must be identified at the detecting access point level before an attack is detected. The range is 1 to 32,000 packets per interval and the default value is 50 packets per interval.

•Quiet Time—The length of time (in seconds) after which no attacks have been detected at the individual access point level, and the alarm can stop. This time appears only if the MAC information is all or both. The range is 60 to 32,000 seconds and the default value is 300 seconds.

•MAC Information—Whether the signature is to be tracked per network or per MAC address or both at the detecting access point level.

•MAC Frequency—The signature MAC frequency or the number of matching packets per interval that must be identified at the controller level before an attack is detected. The range is 1 to 32,000 packets per interval and the default value is 30 packets per interval.

•Interval—Enter the number of seconds that must elapse before the signature frequency threshold is reached within the configured interval. The range is 1 to 3600 seconds and the default value is 1 second.

•Enable—Select this check box to enable this signature to detect security attacks or unselect it to disable this signature.

•Signature Patterns—The pattern that is being used to detect a security attack.

Step 2 From the Enable drop-down list, choose Yes. Because you are downloading a customized signature, you should enable the files named with the _custom.sgi and disable the standard signature with the same name but differing suffix. For example, if you are customizing broadcast probe flood, you want to disable broadcast probe flood in the standard signatures but enable it in custom signatures.

Step 3 Click Save.

Configuring Custom Signatures

The Custom Signature page shows the list of customer-supplied signatures that are currently on the controller.

Command Buttons

•Save—Save the current settings.

•Audit—Discover the present status of this access point.

Sniffer feature

When the sniffer feature is enabled on an access point, the access point functions as a sniffer and captures and forwards all the packets on a particular channel to a remote machine that runs AiroPeek. The packets contain information on timestamp, signal strength, packet size, and so on.

Note The sniffer feature can be enabled only if you are running AiroPeek, which is a third-party network analyzer software that supports decoding of data packets. For more information on AiroPeek, see the following URL: www.wildpackets.com/products/airopeek/overview

Prerequisites for Using the Sniffer Feature

Before using the sniffer feature, you must have completed the following:

•Configured an access point in sniffer mode at the remote site. For information on how to configure an access point in sniffer mode, see AP mode in Configuring an AP in Sniffer Mode Using the Web User Interface.

•Installed AiroPeek version 2.05 or later on a Windows XP machine.

Note You must be a WildPackets Maintenance Member to download the following dll files. See the following URL:

Step 6 Choose the remote Cisco adapter and from the list of adapter modules.

Step 7 Expand it to locate the new remote adapter option. Double-click it to open a new page, enter a name in the text box provided and enter the controller management interface IP in the IP address column.

Step 8 Click OK. The new adapter will be added to the remote Cisco adapter.

Step 9 Select the new adapter for remote airopeek capture using the access point.

Setting Multiple Country Codes

To set multiple country support for a single controller(s) that is not part of a mobility group, follow these steps:

Step 1 Choose Configure > Controllers.

Step 2 Click the controller for which you are adding countries.

Step 3 Choose 802.11 > General from the left sidebar menu.

Step 4 Select the check box to choose which country you want to add. Access points are designed for use in many countries with varying regulatory requirements. You can configure a country code to ensure that it complies with your country regulations.

Note Access points may not operate properly if they are not designed for use in your country of operation. For example, an access point with part number AIR-AP1030-A-K9 (which is included in the Americas regulatory domain) cannot be used in Australia. Always be sure to purchase access points that match your country regulatory domain. For a complete list of country codes supported per product, see http://www.cisco.com/warp/public/779/smbiz/wireless/approvals.html.

Step 5 Enter the time (in seconds) after which the authentication response will timeout.

Configuring Aggressive Load Balancing

Note Clients are load balanced between access points on the same controller. Load balancing does not occur between access points on different controllers.

When a wireless client attempts to associate to a lightweight access point, association response packets are sent to the client with an 802.11 response packet including status code 17. This code indicates whether the access point can accept any more associations. If the access point is too busy, the client attempts to associate to a different access point in the area. The system determines if an access point is relatively more busy than its neighbor access points that are also accessible to the client.

For example, if the number of clients on AP1 is more than the number of clients on AP2 plus the load-balancing window, then AP1 is considered to be busier than AP2. When a client attempts to associate to AP1, it receives an 802.11 response packet with status code 17, indicating that the access point is busy, and the client attempts to associate to a different access point.

You can configure the controller to deny client associations up to 10 times (if a client attempted to associate 11 times, it would be allowed to assciate on the 11th try). You can also enable or disable load balancing on a particular WLAN, which is useful if you want to disable load balancing for a select group of clients (such as time-sensitive voice clients).

Step 4 Enter a value between 1 and 20 for the client window size. The page size becomes part of the algorithm that determines whether an access point is too heavily loaded to accept more client associations:

In the group of access points accessible to a client device, each access point has a different number of client associations. The access point with the lowest number of clients has the lightest load. The client page size plus the number of clients on the access point with the lightest load forms the threshold. Access points with more client associations than this threshold is considered busy, and clients can associate only to access points with client counts lower than the threshold.

Step 5 Enter a value between 0 and 10 for the max denial count. The denial count sets the maximum number of association denials during load balancing.

Step 6 Click Save.

Step 7 To enable or disable aggressive load balancing on specific WLANs, browse to the WLAN Configuration page, and click the Advanced tab. For instructions on using the WLAN Configuration page, see the "Configuring Controller WLANs" section.

Configuring Band Selection

Band selection enables client radios that are capable of dual-band (2.4- and 5-GHz) operation to move to a less congested 5-GHz access point. The 2.4-GHz band is often congested. Clients on this band typically experience interference from Bluetooth devices, microwave ovens, and cordless phones as well as co-channel interference from other access points because of the 802.11b/g limit of three non-overlapping channels. To combat these sources of interference and improve overall network performance, you can configure band selection on the controller.

Band selection works by regulating probe responses to clients. It makes 5-GHz channels more attractive to clients by delaying probe responses to clients on 2.4-GHz channels.

You can enable band selection globally on a controller, or you can enable or disable band selection for a particular WLAN, which is useful if you want to disable it for a select group of clients (such as time-sensitive voice clients).

Note Band-selection-enabled WLANs do not support time-sensitive applications like voice and video because of roaming delays.

Guidelines for Using Band Selection

Follow these guidelines when using band selection:

•Band selection can be used only with Cisco Aironet 1140 and 1250 series access points.

•Band selection operates only on access points that are connected to a controller. A hybrid-REAP access point without a controller connection does not perform band selection after a reboot.

•The band-selection algorithm directs dual-band clients only from the 2.4-GHz radio to the 5-GHz radio of the same access point, and it only runs on an access point when both the 2.4-GHz and 5-GHz radios are up and running.

•You can enable both band selection and aggressive load balancing on the controller. They run independently and do not impact one another.

Configuration Steps

To configure band selection, follow these steps:

Step 1 Choose Configure > Controllers.

Step 2 Choose the controller that you need to configure.

Step 3 Choose 802.11 > Band Select from the left sidebar menu. The band select page appears (see Figure 9-13).

Figure 9-13 Band Select

Step 4 Enter a value between 1 and 10 for the probe cycle count. The cycle count sets the number of suppression cycles for a new client. The default cycle count is 2.

Step 5 Enter a value between 1 and 1000 milliseconds for the scan cycle period threshold. This setting determines the time threshold during which new probe requests from a client come from a new scanning cycle. The default cycle threshold is 200 milliseconds.

Step 6 Enter a value between 10 and 200 seconds for the age out suppression parameter. Age-out suppression sets the expiration time for pruning previously known 802.11b/g clients. The default value is 20 seconds. After this time elapses, clients become new and are subject to probe response suppression.

Step 7 Enter a value between 10 and 300 seconds for the age out dual band parameter. The age-out period sets the expiration time for pruning previously known dual-band clients. The default value is 60 seconds. After this time elapses, clients become new and are subject to probe response suppression.

Step 8 Enter a value between -20 and -90 dBm for the acceptable client RSSI parameter. This parameter sets the minimum RSSI for a client to respond to a probe. The default value is -80 dBm.

Step 9 Click Save.

Step 10 To enable or disable band selection on specific WLANs, browse to the WLAN Configuration page and click the Advanced tab. For instructions on using the WLAN Configuration page, see the "Configuring Controller WLANs" section.

Configuring 802.11 Media Parameters

To configure the media parameters for 802.11, follow these steps:

Step 1 Choose Configure > Controllers.

Step 2 Click the applicable IP address.

Step 3 From the left sidebar menu, choose 802.11 > Media Stream.

Step 4 In the Media Stream Configuration section, specify the following parameters

•Media Stream Name

•Multicast Destination Start IP—Start IP address of the media stream to be multicast

•Multicast Destination End IP—End IP address of the media stream to be multicast

•Maximum Expected Bandwidth—Maximum bandwidth that a media stream can use

Step 5 In the Resource Reservation Control (RRC) Parameters group box, specify the following parameters:

•Average Packet Size—Average packet size that a media stream can use.

•RRC Periodical Update—Resource Reservation Control calculations that are updated periodically; if disabled, RRC calculations are done only once when a client joins a media stream.

•RRC Priority—Priority of RRC with the highest at 1 and the lowest at 8.

•Traffic Profile Violation—Appears if the stream is dropped or put in the best effort queue if the stream violates the QoS video profile.

–Avoid Cisco AP load—Enable to have controllers consider the traffic bandwidth used by each access point when assigning channels to access points.

–Avoid non 802.11 Noise—Enable to have access points avoid channels that have interference from non-access point sources, such as microwave ovens or Bluetooth devices. Disable this parameter to have RRM ignore this interference.

–Signal Strength Contribution—Not configurable.

–Avoid Persistent Non-WiFi interface

•Data Rates

–Ranges between 6 Mbps and 54 Mbps—Supported, Mandatory, or Disabled.

•Noise/Interference/Rogue Monitoring Channels.

–Channel List—All Channels, Country Channels, DCA Channels.

Note Dynamic Channel Allocation (DCA) automatically selects a reasonably good channel allocation from a set of managed devices connected to the controller.

Note When the Coverage Thresholds Min SNR Level (dB) parameter is adjusted, the value of the Signal Strength (dB) automatically reflects this change. The Signal Strength (dB) parameter provides information regarding what the target range of coverage thresholds will be when adjusting the SNR value.

Step 5 Click Save.

Configuring 802.11a/n RRM Intervals

To configure 802.11a/n or 802.11b/g/n RRM intervals for an individual controller, follow these steps:

Note The default for the following four RRM interval parameters is 300 seconds.

Step 4 Enter at which interval you want strength measurements taken for each access point.

Step 5 Enter at which interval you want noise and interference measurements taken for each access point.

Step 6 Enter at which interval you want load measurements taken for each access point.

Step 7 Enter at which interval you want coverage measurements taken for each access point.

Step 8 Click Save.

Configuring 802.11a/n RRM Transmit Power Control

The controller dynamically controls access point transmit power based on real-time wireless LAN conditions. Normally, power can be kept low to gain extra capacity and reduce interference. The controller attempts to balance the access points' transmit power according to how the access points are seen by their third strongest neighbor.

The transmit power control (TPC) algorithm both increases and decreases an access point's power in response to changes in the RF environment. In most instances TPC will seek to lower an access point's power to reduce interference, but in the case of a sudden change in the RF coverage—for example, if an access point fails or becomes disabled—TPC can also increase power on surrounding access points. This feature is different from Coverage Hole Detection, explained below. Coverage hole detection is primarily concerned with clients, while TPC is tasked with providing enough RF power to achieve desired coverage levels while avoiding channel interference between access points.

To configure 802.11a/n or 802.11b/g/n RRM TPC, follow these steps:

Step 1 Choose Configure > Controller.

Step 2 Click an applicable IP address.

Step 3 From the left sidebar menu, choose 802.11a/n-RRM > TPC.

Step 4 Configure the following TPC parameters:

•Template Applied—The name of the template applied to this controller.

•Dynamic Assignment—At the Dynamic Assignment drop-down list, choose one of three modes:

–Automatic - The transmit power is periodically updated for all access points that permit this operation.

–On Demand - Transmit power is updated when the Assign Now button is selected.

–Disabled - No dynamic transmit power assignments occur, and values are set to their global default.

•Maximum Power Assignment—Indicates the maximum power assigned.

–Range: -10 to 30 dB

–Default: 30 dB

•Minimum Power Assignment—Indicates the minimum power assigned.

–Range: -10 to 30 dB

–Default: 30 dB

•Dynamic Tx Power Control—Determine if you want to enable Dynamic Tx Power Control.

•Transmitted Power Threshold—Enter a transmitted power threshold between -50 and -80.

•Control Interval—In seconds (read-only).

Step 5 Click Save.

Configuring 802.11a/n RRM Dynamic Channel Allocation

The Radio Resource Management (RRM) Dynamic Channel Assignment (DCA) page allows you to choose the DCA channels as well as the channel width for this controller.

Note You can also configure the channel width on the access point page by choosing Configure > Access Points,and clicking the 802.11a/n link in the Radio column. The Current RF Channel Assignment. is provided, and you can choose a Global assignment method or choose Custom to specify a channel.

Figure 9-14 802.11a/n RRM DCA Page

Step 4 From the Channel Width drop-down list, choose 20 MHz or 40 MHz. Prior to software release 5.1, 40-MHz channels were only statically configurable. Only radios with 20-MHz channels were supported by DCA. With 40 MHz, radios can achieve higher instantaneous data rates; however, larger bandwidths reduce the number of non-overlapping channels so certain deployments could have reduced overall network throughput.

Note Be cautious about deploying a mix of 20-MHz and 40-MHz devices. The 40-MHz devices have slightly different channel access rules which may negatively impact the 20-MHz devices.

Note To view the channel width for an access point's radio, go to Monitor > Access Points > name > Interfaces tab. You can also view the channel width and antenna selections by choosing Configure > Access Points and clicking the desired radio in the Radio column.

Step 5 Select the check boxes for the appropriate DCA channels. The selected channels are listed in the Selected DCA channels list.

Step 6 Enable or disable event-driven radio resource management (RRM) using the following parameters. Event Driven RRM is used when a CleanAir-enabled access point detects a significant level of interference.

•Sensitivity Threshold—If Event Driven RRM is enabled, this field displays the threshold level at which event-driven RRM is triggered. It can have a value of either Low, Medium, or High. When the interference for the access point rises above the threshold level, RRM initiates a local Dynamic Channel Assignment (DCA) run and changes the channel of the affected access point radio if possible to improve network performance. Low represents a decreased sensitivity to changes in the environment while High represents an increased sensitivity.

Step 7 Click Save.

Configuring 802.11a/n RRM Radio Grouping

To configure 802.11a/n or 802.11b/g/n RRM Radio Grouping for an individual controller, follow these steps:

Step 4 Choose a grouping mode from the drop-down list. The following parameters appear:

•Automatic—Allows you to activate the automatic RRM Grouping Algorithm. This is the default mode.

•Off—Allows you to deactivate the automatic grouping.

•Leader—Allows you to assign members to the group.

Step 5 Choose a group update interval (secs) from the drop-down list. When grouping is on, this interval (in seconds) represents the period with which the grouping algorithm is run by the Group Leader. Grouping algorithm will also run when the group contents changes and the automatic grouping is enabled. A dynamic grouping can be started upon request from the system administrator. Default value is 600 seconds.

Step 6 In the Group Members group box, click Add >. The selected controller moves from the Available Controllers to the RF Group Members list.

Note The RF Group Members group box appears only when the grouping mode is set to Leader.

Note The maximum number of controllers that can be added to a RF Group is 20.

•Admission Control (ACM)—Select the check box to enable admission control.

For end users to experience acceptable audio quality during a VoIP phone call, packets must be delivered from one endpoint to another with low latency and low packet loss. To maintain QoS under differing network loads, call admission control (CAC) is required. CAC on an access point allows it to maintain controlled QoS when the network is experiencing congestion and keep the maximum allowed number of calls to an acceptable quantity.

•CAC Method—If Admission Control (ACM) is enabled, specify the CAC method as either load-based or static.

Load-based CAC incorporates a measurement scheme that takes into account the bandwidth consumed by all traffic types from itself, from co-channel access points, and by co-located channel interference. Load-based CAC also covers the additional bandwidth consumption resulting from PHY and channel impairment.

In load-based CAC, the access point periodically measures and updates the utilization of the RF channel, channel interference, and the additional calls that the access point can admit. The access point admits a new call only if the channel has enough unused bandwidth to support that call. By doing so, load-based CAC prevents over-subscription of the channel and maintains QoS under all conditions of WLAN loading and interference.

•Maximum Bandwidth Allowed—Specify the percentage of maximum bandwidth allowed. This option is only available when CAC is enabled.

•Reserved Roaming Bandwidth—Specify the percentage of reserved roaming bandwidth. This option is only available when CAC is enabled.

•Expedited Bandwidth—Select the check box to enable expedited bandwidth as an extension of CAC for emergency calls.

You must have an expedited bandwidth that is CCXv5 compliant so that a TSPEC request is given higher priority.

•SIP CAC—Select the check box to enable SIP CAC.

SIP CAC should be used only for phones that support status code 17 and do not support TSPEC-based admission control.

•SIP Codec—Specify the codec name you want to use on this radio. The available options are G.711, G.729, and User Defined.

•SIP Call Bandwidth—Specify the bandwidth in kilobits per second that you want to assign per SIP call on the network. This parameter can be configured only when the SIP Codec selected is User Defined.

•SIP Sample Interval—Specify the sample interval in milliseconds that the codec must operate in.

•Max Voice Calls per Radio—Specify the maximum number of voice calls that can be made per Radio.

•Max Roaming Reserved Calls per Radio—Specify the maximum number roaming calls that can be reserved per Radio.

Note The Max Voice Calls per Radio and Max Roaming Reserved Calls per Radio options are available only if the CAC Method is specified as Static and SIP CAC is enabled.

•Metric Collection—Select the check box to enable metric collection.

Traffic stream metrics are a series of statistics about VoIP over your wireless LAN which inform you of the QoS of the wireless LAN. For the access point to collect measurement values, traffic stream metrics must be enabled. When this is enabled, the controller begins collecting statistical data every 90 seconds for the 802.11b/g interfaces from all associated access points. If you are using VoIP or video, this feature should be enabled.

Step 5 On the Video tab, specify the following parameters:

•Admission Control (ACM)—Select the check box to enable admission control.

•Maximum Bandwidth Allowed—Specify the percentage of maximum bandwidth allowed. This option is only available when CAC is enabled.

•Reserved Roaming Bandwidth—Specify the percentage of reserved roaming bandwidth. This option is only available when CAC is enabled.

•Unicast Video Redirect—Select the Unicast Video Redirect check box to enable all non-media stream packets in video queue are redirected to the best effort queue. If disabled, all packets with video marking are kept in video queue.

•Multicast Direct Enable—Select the Multicast Direct Enable check box to set the Media Direct for any WLAN with Media Direct enabled on a WLAN on this radio.

•Maximum Number of Streams per Radio—Specify the maximum number of streams per Radio to be allowed.

•Maximum Number of Streams per Client—Specify the maximum number of streams per Client to be allowed.

•Best Effort QOS Admission—Select the Best Effort QOS Admission check box to redirect new client requests to the best effort queue. This happens only if all the video bandwidth has been used.

Note If disabled and maximum video bandwidth has been used, then any new client request is rejected.

Step 6 In the General tab, specify the following parameter:

•Maximum Media Bandwidth (0 to 85%)—Specify the percentage of maximum of bandwidth allowed. This option is only available when CAC is enabled.

Step 7 Click Save.

Note SIPs are available only on the following controllers: 4400, 5500 and on for the following access points: 1240, 1130, and 11n.

Command Buttons

•Save—Save the changes made.

•Audit—Compare the NCS values with those used on the controller.

Configuring 802.11a/n EDCA Parameters

The EDCA parameters (EDCA profile and Streaming MAC Enable settings) for 802.11a/n and 802.11b/g/n can be configured either by individual controller or through a controller template to improve voice QoS support.

To configure 802.11a/n or 802.11b/g/n EDCA parameters for an individual controller, follow these steps:

•Custom values—Activates the text boxes to enable editing of the roaming parameters.

Step 5 In the Minimum RSSItext box, enter a value for the minimum Received Signal Strength Indicator (RSSI) required for the client to associate to an access point.

•Range: -80 to -90 dBm

•Default: -85 dBm

Note If the client average received signal power dips below this threshold, reliable communication is typically impossible; clients must already have found and roamed to another access point with a stronger signal before the minimum RSSI value is reached.

Step 6 In the Hysteresis text box, enter a value to indicate how strong the signal strength of a neighboring access point must for the client to roam to it.

This parameter is intended to reduce the amount of "ping ponging" between access points if the client is physically located on or near the border between two access points.

•Range: 2 to 4 dB

•Default: 3 dB

Step 7 In the Adaptive Scan Thresholdtext box, enter the RSSI value, from a client associated access point, below which the client must be able to roam to a neighboring access point within the specified transition time.

This parameter provides a power-save method to minimize the time that the client spends in active or passive scanning. For example, the client can scan slowly when the RSSI is above the threshold and scan more rapidly when below the threshold.

•Range: -70 to -77 dB

•Default: -72 dB

Step 8 In the Transition Time text box, enter the maximum time allowed for the client to detect a suitable neighboring access point to roam to and to complete the roam, whenever the RSSI from the client associated access point is below the scan threshold.

The Scan Threshold and Transition Time parameters guarantee a minimum level of client roaming performance. Together with the highest expected client speed and roaming hysteresis, these parameters make it possible to design a wireless LAN network that supports roaming simply by ensuring a certain minimum overlap distance between access points.

•Range: 1 to 10 seconds

•Default: 5 seconds

Step 9 Click Save.

Configuring 802.11a/n 802.11h Parameters

To configure 802.11h parameters for an individual controller, follow these steps:

Step 5 Select the channel announcement check box to enable channel announcement. Channel announcement is a method in which the access point announces when it is switching to a new channel and the new channel number.

Step 6 Click Save.

Configuring 802.11a/n High Throughput (802.11n) Parameters

To configure 802.11a/n or 802.11b/g/n high throughput parameters, follow these steps:

Step 1 Choose Configure > Controller.

Step 2 Click an applicable IP address.

Step 3 From the left sidebar menu, choose 802.11a/n > High Throughput or 802.11b/g/n > High Throughput.

Step 5 In the MCS (Data Rate) Settings, choose which level of data rate you want supported. MCS is modulation coding schemes which are similar to 802.11a data rate. As a default, 20 MHz and short guarded interval is used.

Note When you select the Supported check box, the chosen numbers appear in the Selected MCS Indexes page.

Step 6 Click Save.

Configuring 802.11a/n CleanAir Parameters

To configure 802.11a/n CleanAir parameters, follow these steps:

Step 1 Choose Configure > Controller.

Step 2 Click an applicable IP address.

Step 3 From the left sidebar menu, choose 802.11a/n > CleanAir to view the following information.

•CleanAir—Select the check box to enable CleanAir functionality on the 802.11 a/n network, or unselect to disable CleanAir functionality. The default value is selected.

•Reporting Configuration—Use the parameters in this section to configure the interferer devices you want to include for your reports.

–Report—Select the report interferers check box to enable CleanAir system to report and detect sources of interference, or unselect it to prevent the controller from reporting interferers. The default value is selected.

–Make sure that any sources of interference that need to be detected and reported by the CleanAir system appear in the Interferences to Detect text box and any that do not need to be detected appear in the Interferers to Ignore text box. Use the > and < buttons to move interference sources between these two text boxes. By default, all interference sources are detected.

•Alarm Configuration—This section enables you to configure triggering of air quality alarms.

–Air Quality Alarm—Select the Air Quality Alarm check box to enable the triggering of air quality alarms, or unselect the box to disable this feature. The default value is selected.

–Air Quality Alarm Threshold—If you selected the Air Quality Alarm check box, enter a value between 1 and 100 (inclusive) in the Air Quality Alarm Threshold text box to specify the threshold at which you want the air quality alarm to be triggered. When the air quality falls below the threshold level, the alarm is triggered. A value of 1 represents the worst air quality, and 100 represents the best. The default value is 35.

–Interferers For Security Alarm—Select the Interferers For Security Alarm check box to trigger interferer alarms when the controller detects specified device types, or unselect it to disable this feature. The default value is selected.

–Make sure that any sources of interference that need to trigger interferer alarms appear in the Interferers Selected for Security Alarms text box and any that do not need to trigger interferer alarms appear in the Interferers Ignored for Security Alarms text box. Use the > and < buttons to move interference sources between these two boxes. By default, all interference sources trigger interferer alarms.

•Event Driven RRM—To trigger spectrum event-driven Radio Resource Management (RRM) to run when a CleanAir-enabled access point detects a significant level of interference, follow these steps:

–Event Driven RRM—Displays the current status of spectrum event-driven RRM.

–Sensitivity Threshold—If Event Driven RRM is enabled, this text box displays the threshold level at which event-driven RRM is triggered. It can have a value of either Low, Medium, or High. When the interference for the access point rises above the threshold level, RRM initiates a local Dynamic Channel Assignment (DCA) run and changes the channel of the affected access point radio if possible to improve network performance. Low represents a decreased sensitivity to changes in the environment while High represents an increased sensitivity.

Note When the Coverage Thresholds Min SNR Level (dB) parameter is adjusted, the value of the Signal Strength (dB) automatically reflects this change. The Signal Strength (dB) parameter provides information regarding what the target range of coverage thresholds will be when adjusting the SNR value.

Step 5 Click Save.

Configuring 802.11b/g/n RRM Intervals

To configure 802.11a/n or 802.11b/g/n RRM intervals for an individual controller, follow these steps:

Note The default for the following four RRM interval parameters is 300 seconds.

Step 4 Enter at which interval you want strength measurements taken for each access point.

Step 5 Enter at which interval you want noise and interference measurements taken for each access point.

Step 6 Enter at which interval you want load measurements taken for each access point.

Step 7 Enter at which interval you want coverage measurements taken for each access point.

Step 8 Click Save.

Configuring 802.11b/g/n RRM Transmit Power Control

The controller dynamically controls access point transmit power based on real-time wireless LAN conditions. Normally, power can be kept low to gain extra capacity and reduce interference. The controller attempts to balance the access points' transmit power according to how the access points are seen by their third strongest neighbor.

The transmit power control (TPC) algorithm both increases and decreases an access point's power in response to changes in the RF environment. In most instances TPC will seek to lower an access point's power to reduce interference, but in the case of a sudden change in the RF coverage—for example, if an access point fails or becomes disabled—TPC can also increase power on surrounding access points. This feature is different from Coverage Hole Detection, explained below. Coverage hole detection is primarily concerned with clients, while TPC is tasked with providing enough RF power to achieve desired coverage levels while avoiding channel interference between access points.

To configure 802.11b/g/n RRM TPC, follow these steps:

Step 1 Choose Configure > Controller.

Step 2 Click an applicable IP address.

Step 3 From the left sidebar menu, choose 802.11b/g/n-RRM > TPC.

Step 4 Configure the following TPC parameters:

•Template Applied—The name of the template applied to this controller.

•Dynamic Assignment—At the Dynamic Assignment drop-down list, choose one of three modes:

–Automatic - The transmit power is periodically updated for all access points that permit this operation.

–On Demand - Transmit power is updated when the Assign Now button is selected.

–Disabled - No dynamic transmit power assignments occur, and values are set to their global default.

•Maximum Power Assignment—Indicates the maximum power assigned.

–Range: -10 to 30 dB

–Default: 30 dB

•Minimum Power Assignment—Indicates the minimum power assigned.

–Range: -10 to 30 dB

–Default: 30 dB

•Dynamic Tx Power Control—Determine if you want to enable Dynamic Tx Power Control.

•Transmitted Power Threshold—Enter a transmitted power threshold between -50 and -80.

•Control Interval—In seconds (read-only).

Step 5 Click Save.

Configuring 802.11b/g/n RRM DCA

To configure 802.11a/n or 802.11b/g/n RRM DCA channels for an individual controller, follow these steps:

Step 1 Choose Configure > Controller.

Step 2 Click an applicable IP address.

Step 3 From the left sidebar menu, choose 802.11b/g/n-RRM > DCA.

Step 4 Select the check box(es) for the applicable DCA channel(s). The selected channels are listed in the Selected DCA channels text box.

Step 5 Enable or disable event-driven Radio Resource Management (RRM). Event Driven RRM is used when a CleanAir-enabled access point detects a significant level of interference, follow these steps:

–Sensitivity Threshold—If Event Driven RRM is enabled, this text box displays the threshold level at which event-driven RRM is triggered. It can have a value of either Low, Medium, or High. When the interference for the access point rises above the threshold level, RRM initiates a local Dynamic Channel Assignment (DCA) run and changes the channel of the affected access point radio if possible to improve network performance. Low represents a decreased sensitivity to changes in the environment while High represents an increased sensitivity

Step 6 Click Save.

Configuring 802.11b/g/n RRM Radio Grouping

To configure 802.11a/n or 802.11b/g/n RRM Radio Grouping for an individual controller, follow these steps:

Step 4 Choose a grouping mode from the drop-down list. The following parameters appear:

•Automatic—Allows you to activate the automatic RRM Grouping Algorithm. This is the default mode.

•Off—Allows you to deactivate the automatic grouping.

•Leader—Allows you to assign members to the group.

Step 5 Choose a group update interval (secs) from the drop-down list. When grouping is on, this interval (in seconds) represents the period with which the grouping algorithm is run by the Group Leader. Grouping algorithm will also run when the group contents changes and the automatic grouping is enabled. A dynamic grouping can be started upon request from the system administrator. Default value is 600 seconds.

Step 6 Under the Group Members group box, click Add >. The selected controller moves from the Available Controllers to the RF Group Members list.

Note The RF Group Members group box appears only when the grouping mode is set to Leader.

Note The maximum number of controllers that can be added to a RF Group is 20.

Step 7 Click Save.

Configuring 802.11b/g/n Media Parameters

To configure the media parameters for 802.11b/g/n, follow these steps:

•Admission Control (ACM)—Select the check box to enable admission control.

For end users to experience acceptable audio quality during a VoIP phone call, packets must be delivered from one endpoint to another with low latency and low packet loss. To maintain QoS under differing network loads, Call Admission Control (CAC) is required. CAC on an access point allows it to maintain controlled QoS when the network is experiencing congestion and keep the maximum allowed number of calls to an acceptable quantity.

•CAC Method—If Admission Control (ACM) is enabled, specify the CAC method as either load-based or static.

Load-based CAC incorporates a measurement scheme that takes into account the bandwidth consumed by all traffic types from itself, from co-channel access points, and by co-located channel interference. Load-based CAC also covers the additional bandwidth consumption resulting from PHY and channel impairment.

In load-based CAC, the access point periodically measures and updates the utilization of the RF channel, channel interference, and the additional calls that the access point can admit. The access point admits a new call only if the channel has enough unused bandwidth to support that call. By doing so, load-based CAC prevents over-subscription of the channel and maintains QoS under all conditions of WLAN loading and interference.

•Maximum Bandwidth Allowed—Specify the percentage of maximum bandwidth allowed. This option is only available when CAC is enabled.

•Reserved Roaming Bandwidth—Specify the percentage of reserved roaming bandwidth. This option is only available when CAC is enabled.

•Expedited Bandwidth—Select the check box to enable expedited bandwidth as an extension of CAC for emergency calls.

You must have an expedited bandwidth that is CCXv5 compliant so that a TSPEC request is given higher priority.

•SIP CAC—Select the check box to enable SIP CAC.

SIP CAC should be used only for phones that support status code 17 and do not support TSPEC-based admission control.

•SIP Codec—Specify the codec name you want to use on this radio. The available options are G.711, G.729, and User Defined.

•SIP Call Bandwidth—Specify the bandwidth in kilobits per second that you want to assign per SIP call on the network. This parameter can be configured only when the SIP Codec selected is User Defined.

•SIP Sample Interval—Specify the sample interval in milliseconds that the codec must operate in.

•Max Voice Calls per Radio—Indicates the maximum number of voice calls that can be made per Radio.

Note You cannot set the value of Max Voice Calls per Radio. This is automatically calculated based on the selected CAC method, Max BW allowed, and Roaming Bandwidth.

•Max Roaming Reserved Calls per Radio—Indicates the maximum number roaming calls that can be reserved per Radio.

Note The Max Voice Calls per Radio and Max Roaming Reserved Calls per Radio options are available only if the CAC Method is specified as Static and SIP CAC is enabled.

•Metric Collection—Select the check box to enable metric collection.

Traffic stream metrics are a series of statistics about VoIP over your wireless LAN which inform you of the QoS of the wireless LAN. For the access point to collect measurement values, traffic stream metrics must be enabled. When this is enabled, the controller begins collecting statistical data every 90 seconds for the 802.11b/g interfaces from all associated access points. If you are using VoIP or video, this feature should be enabled.

Step 5 In the Video tab, specify the following parameters:

•Admission Control (ACM)—Select the check box to enable admission control.

•Maximum Bandwidth—Specify the percentage of maximum bandwidth allowed. This option is only available when CAC is enabled.

•Reserved Roaming Bandwidth—Specify the percentage of reserved roaming bandwidth. This option is only available when CAC is enabled.

•Unicast Video Redirect—Select the Unicast Video Redirect check box to enable all non-media stream packets in video queue are redirected to the best effort queue. If disabled, all packets with video marking are kept in video queue.

•Multicast Direct Enable—Select the Multicast Direct Enable check box to set the Media Direct for any WLAN with Media Direct enabled on a WLAN on this radio.

•Maximum Number of Streams per Radio—Specify the maximum number of streams per Radio to be allowed.

•Maximum Number of Streams per Client—Specify the maximum number of streams per Client to be allowed.

•Best Effort QOS Admission—Select the Best Effort QOS Admission check box to redirect new client requests to the best effort queue. This happens only if all the video bandwidth has been used.

Note If disabled and maximum video bandwidth has been used, then any new client request is rejected.

Step 6 In the General tab, specify the following parameter:

•Maximum Media Bandwidth (0 to 85%)—Specify the percentage of maximum of bandwidth allowed. This option is only available when CAC is enabled.

Step 7 Click Save.

Note SIPs are available only on the following controllers: 4400, 5500 and on for the following access points: 1240, 1130, and 11n.

Command Buttons

•Save—Save the changes made.

•Audit—Compare the NCS values with those used on the controller.

Configuring 802.11b/g/n EDCA Parameters

The EDCA parameters (EDCA profile and Streaming MAC Enable settings) for 802.11a/n and 802.11b/g/n can be configured either by individual controller or through a controller template to improve voice QoS support.

To configure 802.11a/n or 802.11b/g/n EDCA parameters for an individual controller, follow these steps:

•Custom values—Activates the text boxes to enable editing of the roaming parameters.

Step 5 In the Minimum RSSItext box, enter a value for the minimum received signal strength indicator (RSSI) required for the client to associate to an access point.

•Range: -80 to -90 dBm

•Default: -85 dBm

Note If the client average received signal power dips below this threshold, reliable communication is typically impossible; clients must already have found and roamed to another access point with a stronger signal before the minimum RSSI value is reached.

Step 6 In the Hysteresis text box, enter a value to indicate how strong the signal strength of a neighboring access point must be in order for the client to roam to it.

This parameter is intended to reduce the amount of "ping ponging" between access points if the client is physically located on or near the border between two access points.

•Range: 2 to 4 dB

•Default: 3 dB

Step 7 In the Adaptive Scan Thresholdtext box, enter the RSSI value, from a client associated access point, below which the client must be able to roam to a neighboring access point within the specified transition time.

This parameter provides a power-save method to minimize the time that the client spends in active or passive scanning. For example, the client can scan slowly when the RSSI is above the threshold and scan more rapidly when below the threshold.

•Range: -70 to -77 dB

•Default: -72 dB

Step 8 In the Transition Time text box, enter the maximum time allowed for the client to detect a suitable neighboring access point to roam to and to complete the roam, whenever the RSSI from the client associated access point is below the scan threshold.

The Scan Threshold and Transition Time parameters guarantee a minimum level of client roaming performance. Together with the highest expected client speed and roaming hysteresis, these parameters make it possible to design a wireless LAN network that supports roaming simply by ensuring a certain minimum overlap distance between access points.

•Range: 1 to 10 seconds

•Default: 5 seconds

Step 9 Click Save.

Configuring 802.11b/g/n High Throughput (802.11n) Parameters

To configure 802.11a/n or 802.11b/g/n high throughput parameters, follow these steps:

Step 1 Choose Configure > Controller.

Step 2 Click an applicable IP address.

Step 3 From the left sidebar menu, choose 802.11a/n > High Throughput or 802.11b/g/n > High Throughput.

Step 5 In the MCS (Data Rate) Settings, choose which level of data rate you want supported. MCS is modulation coding schemes which are similar to 802.11a data rate. As a default, 20 MHz and short guarded interval is used.

Note When you select the Supported check box, the chosen numbers appear in the Selected MCS Indexes page.

Step 6 Click Save.

Configuring 802.11b/g/n CleanAir Parameters

To configure 802.11b/g/n CleanAir parameters, follow these steps:

Step 1 Choose Configure > Controller.

Step 2 Click an applicable IP address.

Step 3 From the left sidebar menu, choose 802.11b/g/n > CleanAir to view the following information.

•CleanAir—Select the check box to enable CleanAir functionality on the 802.11b/g/n network, or unselect to prevent the controller from detecting spectrum interference. The default value is selected.

•Reporting Configuration—Use the parameters in this section to configure the interferer devices you want to include for your reports.

–Report—Select the report interferers check box to enable CleanAir system to report and detect sources of interference, or unselect it to prevent the controller from reporting interferers. The default value is selected.

–Make sure that any sources of interference that need to be detected and reported by the CleanAir system appear in the Interferences to Detect text box and any that do not need to be detected appear in the Interferers to Ignore text box. Use the > and < buttons to move interference sources between these two text boxes. By default, all interference sources are detected.

•Alarm Configuration—This section enables you to configure triggering of air quality alarms.

–Air Quality Alarm—Select the Air Quality Alarm check box to enable the triggering of air quality alarms, or unselect the text box to disable this feature. The default value is selected.

–Air Quality Alarm Threshold—If you selected the Air Quality Alarm check box, enter a value between 1 and 100 (inclusive) in the Air Quality Alarm Threshold text box to specify the threshold at which you want the air quality alarm to be triggered. When the air quality falls below the threshold level, the alarm is triggered. A value of 1 represents the worst air quality, and 100 represents the best. The default value is 35.

–Interferers For Security Alarm—Select the Interferers For Security Alarm check box to trigger interferer alarms when the controller detects specified device types, or unselect it to disable this feature. The default value is selected.

–Make sure that any sources of interference that need to trigger interferer alarms appear in the Interferers Selected for Security Alarms text box and any that do not need to trigger interferer alarms appear in the Interferers Ignored for Security Alarms text box. Use the > and < buttons to move interference sources between these two text boxes. By default, all interference sources trigger interferer alarms.

•Event Driven RRM—To trigger spectrum event-driven Radio Resource Management (RRM) to run when a CleanAir-enabled access point detects a significant level of interference, use the following parameters:

–Event Driven RRM—Displays the current status of spectrum event-driven RRM.

–Sensitivity Threshold—If Event Driven RRM is enabled, this text box displays the threshold level at which event-driven RRM is triggered. It can have a value of either Low, Medium, or High. When the interference for the access point rises above the threshold level, RRM initiates a local Dynamic Channel Allocation (DCA) run and changes the channel of the affected access point radio if possible to improve network performance. Low represents a decreased sensitivity to changes in the environment while High represents an increased sensitivity.

Command Buttons

•Save—Save the changes made.

•Audit—Compare the NCS values with those used on the controller.

Configuring Mesh Parameters

To configure Mesh parameters for an individual controller, follow these steps:

Step 1 Choose Configure > Controller.

Step 2 Click an applicable IP address.

Step 3 From the left sidebar menu, choose Mesh > Mesh Settings.

Step 4 View or edit the following mesh parameters:

•RootAP to MeshAP Range (150 - 13200 ft)—By default, this value is 12,000 feet. You can enter a value between 150 and 132,000 feet. Enter the optimum distance (in feet) that should exist between the root access point and the mesh access point. This global parameter applies to all access points when they join the controller and all existing access points in the network.

•Client Access on Backhaul Link—Enabling this feature lets mesh access points associate with 802.11a wireless clients over the 802.11a backhaul. This client association is in addition to the existing communication on the 802.11a backhaul between the root and mesh access points. This feature is only applicable to access points with two radios. For more information, see the "Client Access on 1524SB Dual Backhaul" section.

Note Changing Backhaul Client Access reboots all mesh access points.

•Mesh DCA Channels—Enable or disable. This option is disabled by default. Enable this option to enable backhaul channel deselection on the Controller using the DCA channel list. Any change to the channels in the Controller DCA list is pushed to the associated access points. This option is only applicable for 1524SB mesh access points. For more information on this feature, see the "Backhaul Channel Deselection Using NCS" section.

Client Access on 1524SB Dual Backhaul

The 1524 Serial Backhaul (SB) access point consists of three radio slots. Radio in slot-0 operate in 2.4 GHz frequency band which is used for client access. Radios in slot-1 and slot-2 operate in 5.8 GHz band and are primarily used for backhaul. However, with the Universal Client Access feature, client access is also allowed over slot-1 and slot-2 radios.

The two 802.11a backhaul radios use the same MAC address. There may be instances where the same WLAN maps to the same BSSID in more than one slot.

By default, client access is disabled over both of the backhaul radios.

The following guidelines should be followed for enabling or disabling a radio slot:

•You can enable client access on slot-1 even if client access on slot-2 is disabled.

•You can enable client access on slot-2 only when client access on slot-1 is enabled.

•If you disable client access on slot-1 the client access on slot-2 is automatically disabled.

Step 2 From the general options select the Mesh DCA Channels option to enable channel selection. This option is unselected by default.

Now the channel changes in the controllers are pushed to the associated 1524SB access points.

Changing the Channel List Using Config Groups

You can use controller config groups to configure backhaul channel deselection. You can create a config group and add the required controllers into the group and use the Country/DCA tab to select or deselect channels for the controllers in that group.

Note You can also configure backhaul channel deselection from controllers. For more information, see the Controller Online Help or Controller User Guide.

Configuring Port Parameters

To configure Port parameters for an individual controller, follow these steps:

Step 1 Choose Configure > Controller.

Step 2 Click an applicable IP address.

Step 3 From the left sidebar menu, choose Ports > Port Settings.

Step 4 Click the applicable Port Number to open the Port Settings Details page. The following parameters display:

•General Parameters:

–Port Number—Read-only.

–Admin Status—Choose Enabled or Disabled from the drop-down list.

–Physical Mode—Choose Auto Negotiate or Full Duplex 1 Gbps.

–STP Mode—Choose 802.1D, Fast, or Off.

–Mirror Mode—Choose Enabled or Disabled.

–Link Traps—Choose Enabled or Disabled.

–Power Over Ethernet

–Multicast Application Mode—Select Enabled or Disabled.

•Spanning Tree Protocol Parameters:

–Priority—The numerical priority number of the ideal switch.

–Path Cost—A value (typically based on hop count, media bandwidth, or other measures) assigned by a network administrator and used to determine the most favorable through an internetwork environment (the lower the cost, the better the path).

Step 5 Choose Save or Audit for General or Spanning Tree Protocol settings.

–SNMP Authentication—The SNMPv2 entity has received a protocol message that is not properly authenticated.

Note When a user who is configured in SNMP V3 mode tries to access the controller with an incorrect password, the authentication fails and a failure message is displayed. However, no trap logs are generated for the authentication failure.

–Link (Port) Up/Down—Link changes status from up or down.

–Multiple Users—Two users login with the same login ID.

–Spanning Tree—Spanning Tree traps. See the STP specifications for descriptions of individual parameters.

–Rogue AP—Whenever a rogue access point is detected this trap will be sent with its MAC Address; When a rogue access point that was detected earlier and it no longer exists this trap is sent.

–Config Save—Notification sent when the controller configuration is modified.

•Client Related Traps

–802.11 Association—The associate notification is sent when the client sends an association frame.

–802.11 Disassociation—The disassociate notification is sent when the client sends a disassociation frame.

–802.11 Deauthentication—The deauthenticate notification is sent when the client sends a deauthentication frame.

–802.11 Failed Authentication—The authenticate failure notification is sent when the client sends an authentication frame with a status code other than 'successful'.

–802.11 Failed Association—The associate failure notification is sent when the client sends an association frame with a status code other than 'successful'.

–Excluded—The associate failure notification is sent when a client is excluded.

•Cisco AP Traps

–AP Register—Notification sent when an access point associates or disassociates with the controller.

–AP Interface Up/Down—Notification sent when access point interface (802.11a or 802.11b/g) status goes up or down.

•Auto RF Profile Traps

–Load Profile—Notification sent when Load Profile state changes between PASS and FAIL.

–Noise Profile—Notification sent when Noise Profile state changes between PASS and FAIL.

–Interference Profile—Notification sent when Interference Profile state changes between PASS and FAIL.

–Coverage Profile—Notification sent when Coverage Profile state changes between PASS and FAIL.

•Auto RF Update Traps

–Channel Update—Notification sent when access point dynamic channel algorithm is updated.

–Tx Power Update—Notification sent when access point dynamic transmit power algorithm is updated.

•AAA Traps

–User Auth Failure—This trap is to inform that a client RADIUS Authentication failure has occurred.

–RADIUS Server No Response—This trap is to indicate that no RADIUS server(s) are responding to authentication requests sent by the RADIUS client.

•IP Security Traps

–ESP Authentication Failure—IPSec packets with invalid hashes were found in an inbound ESP SA.

–ESP Replay Failure—IPSec packets with invalid sequence numbers were found in an inbound ESP SA.

–Invalid SPI—A packet with an unknown SPI was detected from the specified peer with the specified SPI using the specified protocol.

–IKE Negotiation Failure—An attempt to negotiate a phase 1 IKE SA failed. The notification counts are also sent as part of the trap, along with the current value of the total negotiation error counters.

–IKE Suite Failure—An attempt to negotiate a phase 2 SA suite for the specified selector failed. The current total failure counts are passed as well as the notification type counts for the notify involved in the failure.

–Invalid Cookie—ISAKMP packets with invalid cookies were detected from the specified source, intended for the specified destination. The initiator and responder cookies are also sent with the trap.

•802.11 Security Traps

–WEP Decrypt Error—Notification sent when the controller detects a WEP decrypting error.

•WPS Traps

–Rogue Auto Containment—Notification sent when a rogue access point is auto-contained.

•Session Timeout—Indicates the number of minutes a Telnet session is allowed to remain inactive before being logged off. A zero means there will be no timeout. May be specified as a number from 0 to 160. The factory default is 5.

•Maximum Sessions—From the drop-down list choose a value from 0 to 5. This object indicates the number of simultaneous Telnet sessions allowed.

Note New Telnet sessions can be allowed or disallowed on the DS (network) port. New Telnet sessions are always allowed on the Service port.

•Allow New Telnet Sessions—Indicates that new Telnet sessions will not be allowed on the DS Port when set to no. The factory default value is no.

Note New Telnet sessions can be allowed or disallowed on the DS (network) port. New Telnet sessions are always allowed on the Service port.

•Allow New SSH Sessions—Indicates that new Secure Shell Telnet sessions will not be allowed when set to no. The factory default value is yes.

Configuring Multiple Syslog Servers

For version 5.0.148.0 controllers or later, you can configure multiple (up to three) syslog servers on the WLAN controller. With each message logged, the controller sends a copy of the message to each configured syslog host, provided the message has severity greater than or equal to the configured syslog filter severity level.

Syslog Server Address—Indicates the server address of the applicable syslog.

Step 4 Click Save.

Configuring WEB Admin

This section provides instructions for enabling the distribution system port as a web port (using HTTP) or as a secure web port (using HTTPS). You can protect communication with the GUI by enabling HTTPS. HTTPS protects HTTP browser sessions by using the Secure Sockets Layer (SSL) protocol. When you enable HTTPS, the controller generates its own local web administration SSL certificate and automatically applies it to the GUI. You also have the option of downloading an externally generated certificate.

To enable WEB admin parameters for an individual controller, follow these steps:

Step 1 Choose Configure > Controller.

Step 2 Click an applicable IP address.

Step 3 From the left sidebar menu, choose Management > Web Admin.

The following parameters can be configured:

•Web Mode—Choose Enable or Disable from the drop-down list. When enabled, users can access the controller GUI using http:ip-address. The default is Disabled.

Note Web mode is not a secure connection.

•Secure Web Mode—Choose Enable or Disable from the drop-down list. When enabled, users can access the controller GUI using https://ip-address. The default is Enabled.

The Location Configuration page displays two tabs: General and Advanced.

Step 4 Add or modify the General parameters:

•RFID Tag Data Collection—Select the check box to enable the collection of data on tags.

Before the location server can collect asset tag data from controllers, you must enable the detection of active RFID tags using the CLI command config rfid status enable on the controllers.

•Location Path Loss Configuration

–Calibrating Client—Select the Enabled check box to enable calibration for the client. Controllers send regular S36 or S60 requests (depending on the client capability) by way of the access point to calibrate clients. Packets are transmitted on all channels. All access points gather RSSI data from the client at each location. These additional transmissions and channel changes might degrade contemporaneous voice or video traffic.

Note To use all radios (802.11a/b/g/n) available, you must enable multiband in the Advanced page.

–Normal Client—Select the Enabled check box to have a non-calibrating client. No S36 requests are transmitted to the client.

–Tags, Clients, and Rogue APs/Clients—Allows you to set the NMSP measurement notification interval for clients, tags, and rogues. Specify how many seconds should elapse before notification of the found element (tags, clients, and rogue access points/clients).

Setting this value on the controller generates an out-of-sync notification which you can view on the Synchronize Servers page. When different measurement intervals exist between a controller and the mobility services engine, the largest interval setting of the two is adopted by the mobility services engine.

Once this controller is synchronized with the mobility services engine, the new value is set on the mobility services engine.

Note Synchronization to the mobility services engine is required if changes are made to measurement notification interval.

•RSS Expiry Timeout (in secs)

–For Clients—Enter the number of seconds after which RSSI measurements for normal (non-calibrating) clients should be discarded.

–For Calibrating Clients—Enter the number of seconds after which RSSI measurements for calibrating clients should be discarded.

–For Tags—Enter the number of seconds after which RSSI measurements for tags should be discarded.

–For Rogue APs—Enter the number of seconds after which RSSI measurements for rogue access points should be discarded.

Setting AP Failover Priority

When a controller fails, the backup controller configured for the access point suddenly receives a number of discovery and join requests. This may cause the controller to reach a saturation point and reject some of the access points.

By assigning priority to an access point, you have some control over which access points are rejected. In a failover situation when the backup controller is saturated, the higher priority access points are allowed to join the backup controller by disjoining the lower priority access points.

To configure priority settings for access points, you must first enable the AP Priority feature. To enable the AP Priority feature, follow these steps:

Configuring Global Credentials for Access Points

Cisco autonomous access points are shipped from the factory with Cisco as the default enable password. This password allows users to log into the non-privileged mode and execute show and debug commands, posing a security threat. The default enable password must be changed to prevent unauthorized access and to enable users to execute configuration commands from the access point's console port.

In NCS and controller software releases prior to 5.0, you can set the access point enable password only for access points that are currently connected to the controller. In NCS and controller software release 5.0, you can set a global username, password, and enable password that all access points inherit as they join a controller. This includes all access points that are currently joined to the controller and any that join in the future. When you are adding an access point, you can also choose to accept this global username and password or override it on a per-access point basis and assign a unique username, password, and enable password. See the "Configuring AP Configuration Templates" section to see where the global password is displayed and how it can be overridden on a per-access point basis.

Also in controller software release 5.0, after an access point joins the controller, the access point enables console port security, and you are prompted for your username and password whenever you log into the access point's console port. When you log in, you are in non-privileged mode, and you must enter the enable password in order to use the privileged mode.

Note These controller software release 5.0 features are supported on all access points that have been converted to lightweight mode, except the 1100 series. VxWorks access points are not supported.

The global credentials that you configure on the controller are retained across controller and access point reboots. They are overwritten only if the access point joins a new controller that is configured with a global username and password. If the new controller is not configured with global credentials, the access point retains the global username and password configured for the first controller.

Note You need to keep careful track of the credentials used by the access points. Otherwise, you might not be able to log into an access point's console port. If necessary, you can clear the access point configuration to return the access point username and password to the default setting.

To establish a global username and password, follow these steps:

Step 1 Choose Configure > Controllers or Configure > Access Points.

Step 2 Choose an IP address of a controller with software release 5.0 or later or choose an access point associated with software release 5.0 or later.

Step 4 In the AP Username text box, enter the username that is to be inherited by all access points that join the controller.

Step 5 In the AP Password text box, enter the password that is to be inherited by all access points that join the controller. Re-enter in the Confirm AP Password text box.

Step 6 For Cisco autonomous access points, you must also enter and confirm an enable password. In the AP Enable Password text box, enter the enable password that is to be inherited by all access points that join the controller. Re-enter in the Confirm Enable Password text box.

Note You do not need to configure VLAN tagging to use Ethernet bridging for point-to-point and point-to-multipoint bridging deployments.

Figure 9-16 Point-to-Multipoint Bridging

2. Ethernet VLAN tagging allows specific application traffic to be segmented within a wireless mesh network and then forwarded (bridged) to a wired LAN (access mode) or bridged to another wireless mesh network (trunk mode).

A typical public safety access application using Ethernet VLAN tagging is placement of video surveillance cameras at various outdoor locations within a city. Each of these video cameras has a wired connection to a MAP. The video of all these cameras is then streamed across the wireless backhaul to a central command station on a wired network (see Figure 9-17).

Figure 9-17 Ethernet VLAN Tagging

Ethernet VLAN Tagging Guidelines

•For security reasons, the Ethernet port on a mesh access point (RAP and MAP) is disabled by default. It is enabled by configuring Ethernet Bridging on the mesh access point port.

•You must enable Ethernet bridging on all the access points in the mesh network to allow Ethernet VLAN Tagging to operate.

–In Ethernet VLAN tagging, port 0-PoE in on the RAP connects the trunk port of the switch of the wired network. Port 1-PoE out on the MAP connects external devices such as video cameras.

•Backhaul interfaces (802.11a radios)act as primary Ethernet interfaces. Backhauls function as trunks in the network and carry all VLAN traffic between the wireless and wired network. You are not required to configure the primary Ethernet interface.

•You must configure the switch port in the wired network that is attached to the RAP (port 0-PoE in) to accept tagged packets on its trunk port. The RAP forwards all tagged packets received from the mesh network to the wired network.

•Configuration to support VLAN tagging on the 802.11a backhaul Ethernet interface is not required within the mesh network.

–This includes the RAP uplink Ethernet port. The required configuration happens automatically using a registration mechanism.

–Any configuration changes to an 802.11a Ethernet link acting as a backhaul are ignored, and a warning results. When the Ethernet link no longer functions as a backhaul, the modified configuration is applied.

•If bridging between two MAPs, enter the distance (mesh range) between the two access points that are bridging. (Not applicable to applications in which you are forwarding traffic connected to the MAP to the RAP, access mode.)

•Each sector supports up to 16 VLANs; therefore, the cumulative number of VLANs supported by a RAP's children (MAPs) cannot exceed 16.

–Normal mode-In this mode, the Ethernet interface is VLAN-transparent by default and does not accept or send any tagged packets. Tagged frames from clients are dropped. Untagged frames are forwarded to the native VLAN on the RAP trunk port.

–Access mode-In this mode only untagged packets are accepted. You must tag all packets with a user-configured VLAN called access-VLAN. For this mode to take effect, the global VLAN mode should be non-VLAN transparent.

Use this option for applications in which information is collected from devices connected to the MAP such as cameras or PCs and then forwarded to the RAP. The RAP then applies tags and forwards traffic to a switch on the wired network.

–Trunk mode—This mode requires the user to configure a native VLAN and an allowed VLAN list (no defaults). In this mode, both tagged and untagged packets are accepted. You can accept untagged packets and tag them with the user-specified native VLAN. You can accept tagged packets if they are tagged with a VLAN in the allowed VLAN list. For this mode to take effect, the global VLAN mode should be non-VLAN transparent.

Use this option for bridging applications such as forwarding traffic between two MAPs resident on separate buildings within a campus.

Step 6 Within the Ethernet interface page, perform one of the following:

Note The configuration options vary for each of the VLAN modes (normal, access, and trunk).

a. If you are configuring a MAP and RAP normal ports and chose FastEthernet0, choose Normal from the VLAN Mode drop-down list.

In this mode, the Ethernet interface is VLAN-transparent by default and does not accept or send any tagged packets. Tagged frames from clients are dropped. Untagged frames are forwarded to the native VLAN on the RAP trunk port.

b. If you are configuring a MAP access port and chose gigabitEthernet1 (port 1-PoE out),

1. Choose Access from the VLAN Mode drop-down list.

2. Enter a VLAN ID. The VLAN ID can be any value between 1 and 4095.

3. Click Save.

Note VLAN ID 1 is not reserved as the default VLAN.

Note A maximum of 16 VLANs in total are supported across all of a RAP's subordinate MAPs.

c. If you are configuring a RAP or MAP trunk port and chose gigabitEthernet0 (or FastEthernet0)(port 0-PoE in),

1. Choose trunk from the VLAN Mode drop-down list.

2. Enter a native VLAN ID for incoming traffic. The native VLAN ID can be any value between 1 and 4095. Do not assign any value assigned to a user-VLAN (access).

If forwarding tagged packets, enter a VLAN ID (1 to 4095) that is not already assigned (such as RAP to switch on wired network).

Note To remove a VLAN from the list, click Delete.

4. Click Save.

Note At least one mesh access point must be set to RootAP in the mesh network.

Autonomous to Lightweight Migration Support

The autonomous to lightweight migration support feature provides a common application (NCS) from which you can perform basic monitoring of autonomous access points along with current lightweight access points. The following autonomous access points are supported:

•Cisco Aironet 1130 Access Point

•Cisco Aironet 1200 Access Point

•Cisco Aironet 1240 Access Point

•Cisco Aironet 1310 Bridge

•Cisco Aironet 1410 Bridge

You may also choose to convert autonomous access points to lightweight. Once an access point is converted to lightweight, the previous status or configuration of the access point is not retained.

From NCS, the following functions are available when managing autonomous access points:

•Telnet Timeout—Indicate the amount of time (in seconds) allowed before the process time outs. The default is 60 seconds.

Note Cisco autonomous access points are shipped from the factory with Cisco as the default enable password. This password allows users to log into the non-privileged mode and execute show and debug commands, posing a security threat. The default enable password must be changed to prevent unauthorized access and to enable users to execute configuration commands from the access point's console port.

Step 8 Click Add.

Note After the AP is added and it's inventory collection is completed, it will appear in Access Point list page (Configure > Access Points). If it is not found in the Access Points list, choose Configure > Unknown Device page to check the status. For details, see the "Configuring Unknown Devices" section.

Note Autonomous access points are not counted towards the total device count for your license.

Adding Autonomous Access Points by CSV File

Autonomous access points can be added to NCS using a CSV file exported from WLSE.

•Server Name—Select the Default Server or add a New server using the Server Name drop-down list.

•IP address—Specify the FTP server IP address. This is automatically populated if the default server is selected.

•NCS Server Files In—Specify where the NCS server files are located. This is automatically populated if the default server is selected.

•Server File Name—Specify the Server File Name.

Step 6 Click Download.

Supporting Autonomous Access Points in Work Group Bridge (WGB) mode

Workgroup Bridge (WGB) mode is a special mode where an autonomous access point functions as a wireless client and connects to a lightweight access point. The WGB and its wired clients are listed as client in NCS if the AP mode is set to Bridge, and the access point is bridge capable.

To view a list of all NCS clients that are WGBs, choose Monitor > Clients.From the Show drop-down list, choose WGB Clients, and click Go. The Clients (detected as WGBs) page appears. Click a User to view detailed information regarding a specific WGB and its wired clients.

Note The NCS provides WGB client information for the autonomous access point whether or not it is managed by the NCS. If the WGB access point is also managed by the NCS, NCS provides basic monitoring functions for the access point similar to other autonomous access points.

Configuring Access Point Details

Choose Configure > Access Points to see a summary of all access points in the Cisco NCS database. The summary information includes the following:

•Ethernet MAC

•IP Address

•Radio

•Map Location

•AP Type

•Controller

•Operation Status

•Alarm Status

•Audit Status

Note If you hover your mouse cursor over the Audit Status value, the time of the last audit is displayed.

Note You cannot configure the Cisco 600 Series Access Points from the this page. It can be configured from the AP Configuration Templates page only. For details on configuring AP Configuration Templates, see "Configuring AP Configuration Templates" section.

Step 1 Click the link under AP Name to see detailed information about that access point name. The Access Point Detail page appears (see Figure 9-19).

Figure 9-19 Detailed Access Point Information

.

Note The operating system software automatically detects and adds an access point to the Cisco NCS database as it associates with existing controllers in the Cisco NCS database.

Note Access point parameters may vary depending on the access point type.

Some of the parameters on the page are automatically populated.

•The General portion displays the Ethernet MAC, the Base Radio MAC, IP Address, and status.

•The Versions portion of the page displays the software and boot version.

•The Radio Interfaces portion provides the current status of the 802.11a/n and 802.11b/g/n radios such as admin status, channel number, power level, antenna mode, antenna diversity, and antenna type.

To set the configurable parameters, follow these steps:

Note Changing access point parameters causes the access point to be temporarily disabled and this may cause some clients to lose connectivity.

Step 2 Enter the name assigned to the access point.

Step 3 Use the drop-down list to choose a country code to establish multiple country support. Access points are designed for use in many countries with varying regulatory requirements. You can configure a country code to ensure that the access point complies with your country's regulations. Consider the following when setting the country code:

•You can configure up to 20 countries per controller.

•Because only one auto-RF engine and one list of available channels exist, configuring multiple countries limits the channels available to auto-RF in the common channels. A common channel is one that is legal in each and every configured country.

•When you configure access points for multiple countries, the auto-RF channels are limited to the highest power level available in every configured country. A particular access point may be set to exceed these limitations (or you may manually set the levels in excess of these limitations), but auto-RF does not automatically choose a non-common channel or raise the power level beyond that available in all countries.